{ Berbagi, Menulis, Dan Mengajar } Ilmu… » 7. Operating System » FIREWALL RSDJATIROTO.ikc.co.id
FIREWALL RSDJATIROTO.ikc.co.id
#——————————————————————–#
# Skenario: – Eth1 ( Card di Jaringan LAN)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #
#Â Â Â Â Â Â Â Â Â Â – ppp0 ( Interface Dial Up(Internet))Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #
# Firewall Script ini,akan Melakukan Rule NAT Terhadap Jaringan,    #
# Kemudian PC yang ada Dijaringan Dipaksa-kan untuk Melewati Mesin  #
# Proxy Jika Mereka Akan Mengakses Port 80,8080,3128Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #
#   Info : dms@ikc.co.id                                           #
#——————————————————————–#
echo -e “\n\nSETTING UP IPTABLES PROXY…”
INTIF=”eth1″
IPTABLES=/sbin/iptables
EXTIF=”ppp0″
LAN=”192.168.1.0/24″
SERVER=”192.168.1.1″
EXTIP=”180.253.84.62″
EXTIP1=”180.0.0.0/8″
EXTRIM=”0.0.0.0″
REMOTEIP=”36.81.0.0/16″
REMOTEIP1=”125.167.0.0/16″
PORTTRIMA=”22,10000″
echo “Loading required stateful/NAT kernel modules…”
#/bin/internet # Binary Tambahan U/ Aktifasi Internet Menggunakan Flash
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo “1” > /proc/sys/net/ipv4/tcp_syncookies
#echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all
#echo “2” > /proc/sys/net/ipv4/conf/all/rp_filter
echo “0” > /proc/sys/net/ipv4/conf/all/accept_source_route
echo “0” > /proc/sys/net/ipv4/tcp_timestamps
echo “0” > /proc/sys/net/ipv4/conf/all/accept_redirects
#echo “1” > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo “1” > /proc/sys/net/ipv4/conf/all/log_martians
echo “32768 61000″ > /proc/sys/net/ipv4/ip_local_port_range
echo “30” > /proc/sys/net/ipv4/tcp_fin_timeout
echo “2400” > /proc/sys/net/ipv4/tcp_keepalive_time
echo “0” > /proc/sys/net/ipv4/tcp_window_scaling
echo “0” > /proc/sys/net/ipv4/tcp_sack
echo “Â Â Â Enabling IP forwarding…”
echo “1” > /proc/sys/net/ipv4/ip_forward
echo “1” > /proc/sys/net/ipv4/ip_dynaddr
echo “Â Â Â External interface: $EXTIF”
echo “Â Â Â External interface IP address is: $EXTIP”
echo “Â Â Â Loading proxy server rules…”
# Clearing any existing rules and setting default policy
$IPTABLES –flush
$IPTABLES –table nat –flush
$IPTABLES –delete-chain
$IPTABLES –table nat –delete-chain
$IPTABLES -N MACtest
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
#$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j LOG –log-level DEBUG
$IPTABLES -A INPUT -i $EXTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
#—— Blocking Peer to Peer Port —–#
$IPTABLES -A FORWARD -i $INTIF -p tcp –destination-port 5051:65535 -o $EXTIF -j DROP
$IPTABLES -A FORWARD -i $INTIF -p udp –destination-port 5051:65535 -o $EXTIF -j DROP
#————NAT & MASQUERADE———–#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
#————NAT & MASQUERADE———-#
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
#transparent Proxy TCP
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 8080 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 3128 -j DNAT –to $SERVER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 443 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 80 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 8080 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 3128 -j REDIRECT –to-port 8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp –dport 443 -j REDIRECT –to-port 8080
#transparent Proxy UDP
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 80 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 8080 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 3128 -j DNAT –to $SERVER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 443 -j DNAT –to $SERVER:8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 80 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 8080 -j REDIRECT –to-port 8080
$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 3128 -j REDIRECT –to-port 8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp –dport 443 -j REDIRECT –to-port 8080
#————–INPUT ROLES—————-#
$IPTABLES -I INPUT -p tcp -i $INTIFÂ –dport 00000:65000 -j DROP
$IPTABLES -I INPUT -p udp -i $INTIFÂ –dport 00000:65000 -j DROP
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 22 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 22 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT
#$IPTABLES -I INPUT -p tcp -i $EXTIF -s 125.167.31.236/32 -d 110.139.54.163/32 –dport 22 -j ACCEPT
#$IPTABLES -I INPUT -p udp -i $EXTIF -s 125.167.31.236/32 -d 110.139.54.163/32 –dport 22 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 53 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 53 -j ACCEPT
#$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 80 -j ACCEPT
#$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 80 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 445 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 445 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 3306 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 8080 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 8080 -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 –dport 10000 -j ACCEPT
$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 –dport 10000 -j ACCEPT
#————–FORWARD ROLES—————#
# FWD: Allow all connections OUT and only existing and related ones IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s $LAN -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 00000:65000 -j DROP
$IPTABLES -A FORWARD -p udp –dport 00000:65000 -j DROP
$IPTABLES -A FORWARD -p tcp –dport 182 -j DROP
$IPTABLES -A FORWARD -p udp –dport 182 -j DROP
$IPTABLES -A FORWARD -p tcp -m multiport –dport 21,22,53,110,143,5050,10000Â -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport –dport 21,22,53,110,143,5050,10000Â -i $INTIF -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#————–DROPING PORT————-#
$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 139 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 139 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 113 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 113 -j DROP
#$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 25 -j DROP
#$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 25 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 2049 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 2049 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 111 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 111 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 826 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 826 -j DROP
$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 –dport 1723 -j DROP
$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 –dport 1723 -j DROP
#$IPTABLES -A OUTPUT -o ppp0 -d 66.163.181.180 -j DROP
#$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 –dport 25 -j DROP
#$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 –dport 25 -j DROP
$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 -m multiport –dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6999 -j DROP
$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 -m multiport –dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6999 -j DROP
$IPTABLES -I INPUT -p udp -i $EXTIF -m multiport –dport $PORTTRIMAÂ -j DROP
$IPTABLES -I INPUT -p tcp -i $EXTIF -m multiport –dport $PORTTRIMAÂ -j DROP
$IPTABLES -I INPUT -p tcp -i $EXTIF -s $REMOTEIP -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT
$IPTABLES -I INPUT -p udp -i $EXTIF -s $REMOTEIP -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT
$IPTABLES -I INPUT -p tcp -i $EXTIF -s $REMOTEIP1 -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT
$IPTABLES -I INPUT -p udp -i $EXTIF -s $REMOTEIP1 -d $EXTIP1 -m multiport –dport $PORTTRIMA -j ACCEPT
$IPTABLES -I INPUT -p udp -i ppp0 –dport 21 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 21 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 25 -j DROP
$IPTABLES -I INPUT -p udp -i ppp0 –dport 53 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 53 -j DROP
#$IPTABLES -I INPUT -p udp -i ppp0 –dport 80 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 80 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 106 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 110 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 111 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 113 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 139 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 143 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 443 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 445 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 826 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 901 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 993 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 995 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 3306 -j DROP
#$IPTABLES -I INPUT -p tcp -i ppp0 –dport 10000 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 1723 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 –dport 2049 -j DROP
$IPTABLES -I INPUT -p tcp -i ppp0 -s 125.161.170.142/32Â -d 0/0 –dport 80 -j DROP
$IPTABLES -I INPUT -p tcp -i eth2 -s 125.161.170.142/32Â -d 0/0 –dport 80 -j DROP
$IPTABLES -I INPUT -s 24.10.129.59/32 -j DROP
$IPTABLES -I INPUT -s 67.175.251.207/32 -j DROP
$IPTABLES -I INPUT -s 89.142.169.18/32 -j DROP
$IPTABLES -I INPUT -s 24.176.80.10/32 -j DROP
$IPTABLES -I INPUT -s 70.55.20.174/32 -j DROP
$IPTABLES -I INPUT -s 75.72.78.238/32 -j DROP
$IPTABLES -I INPUT -s 71.234.160.25/32 -j DROP
$IPTABLES -I INPUT -s 75.216.230.107/32 -j DROP
$IPTABLES -I INPUT -s 98.30.94.174/32 -j DROP
$IPTABLES -I INPUT -s 195.50.191.14/32 -j DROP
$IPTABLES -I INPUT -s 68.198.229.137/32 -j DROP
$IPTABLES -I INPUT -s 66.74.232.167/32 -j DROP
$IPTABLES -I INPUT -s 101.79.129.21 -j DROP
/sbin/iptables -I INPUT -s 89.114.232.0/21 -j DROP
/sbin/iptables -I INPUT -s 174.127.73.230 -j DROP
#/etc/init.d/shaper restart
#/etc/init.d/shaper start
#/script/ip.drop
#/script/mac.drop
iptables -A FORWARD -m string –algo bm –string “BitTorrent” -j DROP
iptables -A FORWARD -m string –algo bm –string “BitTorrent protocol” -j DROP
iptables -A FORWARD -m string –algo bm –string “peer_id=” -j DROP
iptables -A FORWARD -m string –algo bm –string “.torrent” -j DROP
iptables -A FORWARD -m string –algo bm –string “announce.php?passkey=” -j DROP
iptables -A FORWARD -m string –algo bm –string “torrent” -j DROP
iptables -A FORWARD -m string –algo bm –string “announce” -j DROP
iptables -A FORWARD -m string –algo bm –string “info_hash” -j DROP
iptables -A FORWARD -m string –algo bm –string “/default.ida?” -j DROP #codered virus
iptables -A FORWARD -m string –algo bm –string “.exe?/c+dir” -j DROP #nimda virus
iptables -A FORWARD -m string –algo bm –string “.exe?/c_tftp” -j DROP #nimda virus
# bittorrent key
iptables -A FORWARD -m string –string “peer_id” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “BitTorrent” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “BitTorrent protocol” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “bittorrent-announce” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “announce.php?passkey=” –algo kmp –to 65535 -j DROP
# DHT keyword
iptables -A FORWARD -m string –string “info_hash” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “get_peers” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “announce” –algo kmp –to 65535 -j DROP
iptables -A FORWARD -m string –string “announce_peers” –algo kmp –to 65535 -j DROP
Filed under: 7. Operating System