#--------------------------------------------------------------------# # Skenario: - Eth1 ( Card di Jaringan LAN) # # - ppp0 ( Interface Dial Up(Internet)) # # Firewall Script ini,akan Melakukan Rule NAT Terhadap Jaringan, # # Kemudian PC yang ada Dijaringan Dipaksa-kan untuk Melewati Mesin # # Proxy Jika Mereka Akan Mengakses Port 80,8080,3128 # # Info : dms@ikc.co.id # #--------------------------------------------------------------------# echo -e "\n\nSETTING UP IPTABLES PROXY..." INTIF="eth1" IPTABLES=/sbin/iptables EXTIF="ppp0" LAN="192.168.1.0/24" SERVER="192.168.1.1" EXTIP="180.247.102.131" REMOTEIP="125.167.31.236/32" REMOTEIP1="180.247.63.209/32" PORTTRIMA="22,10000" echo "Loading required stateful/NAT kernel modules..." #/bin/internet # Binary Tambahan U/ Aktifasi Internet Menggunakan Flash /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc echo "1" > /proc/sys/net/ipv4/tcp_syncookies #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all #echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects #echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack echo " Enabling IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " External interface: $EXTIF" echo " External interface IP address is: $EXTIP" echo " Loading proxy server rules..." # Clearing any existing rules and setting default policy $IPTABLES --flush $IPTABLES --table nat --flush $IPTABLES --delete-chain $IPTABLES --table nat --delete-chain $IPTABLES -N MACtest $IPTABLES -F $IPTABLES -X $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t mangle -F $IPTABLES -t mangle -X $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP #$IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j LOG --log-level DEBUG $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT #------ Blocking Peer to Peer Port -----# $IPTABLES -A FORWARD -i $INTIF -p tcp --destination-port 5051:65535 -o $EXTIF -j DROP $IPTABLES -A FORWARD -i $INTIF -p udp --destination-port 5051:65535 -o $EXTIF -j DROP #------------NAT & MASQUERADE-----------# $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE #$IPTABLES -A FORWARD -i $INTIF -j ACCEPT #------------NAT & MASQUERADE----------# $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE #$IPTABLES -A FORWARD -i $INTIF -j ACCEPT #transparent Proxy TCP $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j DNAT --to $SERVER:8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 8080 -j DNAT --to $SERVER:8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j DNAT --to $SERVER:8080 #$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 443 -j DNAT --to $SERVER:8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 8080 -j REDIRECT --to-port 8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to-port 8080 #$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 443 -j REDIRECT --to-port 8080 #transparent Proxy UDP $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 80 -j DNAT --to $SERVER:8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 8080 -j DNAT --to $SERVER:8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 3128 -j DNAT --to $SERVER:8080 #$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 443 -j DNAT --to $SERVER:8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 80 -j REDIRECT --to-port 8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 8080 -j REDIRECT --to-port 8080 $IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 3128 -j REDIRECT --to-port 8080 #$IPTABLES -t nat -A PREROUTING -i $INTIF -p udp --dport 443 -j REDIRECT --to-port 8080 #--------------INPUT ROLES----------------# $IPTABLES -I INPUT -p tcp -i $INTIF --dport 00000:65000 -j DROP $IPTABLES -I INPUT -p udp -i $INTIF --dport 00000:65000 -j DROP $IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 22 -j ACCEPT $IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 22 -j ACCEPT #$IPTABLES -I INPUT -p tcp -i $EXTIF -s 125.167.31.236/32 -d 110.139.54.163/32 --dport 22 -j ACCEPT #$IPTABLES -I INPUT -p udp -i $EXTIF -s 125.167.31.236/32 -d 110.139.54.163/32 --dport 22 -j ACCEPT $IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 53 -j ACCEPT $IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 53 -j ACCEPT #$IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 80 -j ACCEPT #$IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 80 -j ACCEPT $IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 445 -j ACCEPT $IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 445 -j ACCEPT $IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 3306 -j ACCEPT $IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 3306 -j ACCEPT $IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 8080 -j ACCEPT $IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 8080 -j ACCEPT $IPTABLES -I INPUT -p tcp -i $INTIF -s 0/0 -d 0/0 --dport 10000 -j ACCEPT $IPTABLES -I INPUT -p udp -i $INTIF -s 0/0 -d 0/0 --dport 10000 -j ACCEPT #--------------FORWARD ROLES---------------# # FWD: Allow all connections OUT and only existing and related ones IN $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -s $LAN -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 00000:65000 -j DROP $IPTABLES -A FORWARD -p udp --dport 00000:65000 -j DROP $IPTABLES -A FORWARD -p tcp -m multiport --dport 21,22,53,110,143,5050,10000 -i $INTIF -j ACCEPT $IPTABLES -A FORWARD -p udp -m multiport --dport 21,22,53,110,143,5050,10000 -i $INTIF -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #--------------DROPING PORT-------------# $IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j DROP $IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 139 -j DROP $IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j DROP $IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j DROP #$IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP #$IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 25 -j DROP $IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP $IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP $IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP $IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP $IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 826 -j DROP $IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 826 -j DROP $IPTABLES -I INPUT -p tcp -s 0/0 -d 0/0 --dport 1723 -j DROP $IPTABLES -I INPUT -p udp -s 0/0 -d 0/0 --dport 1723 -j DROP #$IPTABLES -A OUTPUT -o ppp0 -d 66.163.181.180 -j DROP #$IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 --dport 25 -j DROP #$IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 --dport 25 -j DROP $IPTABLES -I FORWARD -p tcp -s 0/0 -d 0/0 -m multiport --dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6999 -j DROP $IPTABLES -I FORWARD -p udp -s 0/0 -d 0/0 -m multiport --dport 3135,3514,3587,4033,4661,5427,6581,9104,6881:6999 -j DROP $IPTABLES -I INPUT -p udp -i $EXTIF -m multiport --dport $PORTTRIMA -j DROP $IPTABLES -I INPUT -p tcp -i $EXTIF -m multiport --dport $PORTTRIMA -j DROP $IPTABLES -I INPUT -p tcp -i $EXTIF -s $REMOTEIP -d $EXTIP -m multiport --dport $PORTTRIMA -j ACCEPT $IPTABLES -I INPUT -p udp -i $EXTIF -s $REMOTEIP -d $EXTIP -m multiport --dport $PORTTRIMA -j ACCEPT $IPTABLES -I INPUT -p tcp -i $EXTIF -s $REMOTEIP1 -d $EXTIP -m multiport --dport $PORTTRIMA -j ACCEPT $IPTABLES -I INPUT -p udp -i $EXTIF -s $REMOTEIP1 -d $EXTIP -m multiport --dport $PORTTRIMA -j ACCEPT $IPTABLES -I INPUT -p udp -i ppp0 --dport 21 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 21 -j DROP #$IPTABLES -I INPUT -p tcp -i ppp0 --dport 25 -j DROP $IPTABLES -I INPUT -p udp -i ppp0 --dport 53 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 53 -j DROP #$IPTABLES -I INPUT -p udp -i ppp0 --dport 80 -j DROP #$IPTABLES -I INPUT -p tcp -i ppp0 --dport 80 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 106 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 110 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 111 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 113 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 139 -j DROP #$IPTABLES -I INPUT -p tcp -i ppp0 --dport 143 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 443 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 445 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 826 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 901 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 993 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 995 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 3306 -j DROP #$IPTABLES -I INPUT -p tcp -i ppp0 --dport 10000 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 1723 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 --dport 2049 -j DROP $IPTABLES -I INPUT -p tcp -i ppp0 -s 125.161.170.142/32 -d 0/0 --dport 80 -j DROP $IPTABLES -I INPUT -p tcp -i eth2 -s 125.161.170.142/32 -d 0/0 --dport 80 -j DROP $IPTABLES -I INPUT -s 24.10.129.59/32 -j DROP $IPTABLES -I INPUT -s 67.175.251.207/32 -j DROP $IPTABLES -I INPUT -s 89.142.169.18/32 -j DROP $IPTABLES -I INPUT -s 24.176.80.10/32 -j DROP $IPTABLES -I INPUT -s 70.55.20.174/32 -j DROP $IPTABLES -I INPUT -s 75.72.78.238/32 -j DROP $IPTABLES -I INPUT -s 71.234.160.25/32 -j DROP $IPTABLES -I INPUT -s 75.216.230.107/32 -j DROP $IPTABLES -I INPUT -s 98.30.94.174/32 -j DROP $IPTABLES -I INPUT -s 195.50.191.14/32 -j DROP $IPTABLES -I INPUT -s 68.198.229.137/32 -j DROP $IPTABLES -I INPUT -s 66.74.232.167/32 -j DROP /sbin/iptables -I INPUT -s 89.114.232.0/21 -j DROP /sbin/iptables -I INPUT -s 174.127.73.230 -j DROP #/etc/init.d/shaper restart #/etc/init.d/shaper start /script/ip.drop #/script/mac.drop iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP iptables -A FORWARD -m string --algo bm --string "announce" -j DROP iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP iptables -A FORWARD -m string --algo bm --string "/default.ida?" -j DROP #codered virus iptables -A FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP #nimda virus iptables -A FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP #nimda virus # bittorrent key iptables -A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP # DHT keyword iptables -A FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP iptables -A FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP