# Shkenca > Informatikë dhe Internet > Përdoruesit e Unix >  Skript firewall per iptables.

## init-6

Ky eshte nje skript bash per iptables i cili gjeneron nje ser rregullash duke krijuar nje firewall te tipit "Stateful", eshte testuar kunder pjeses me te madhe te sulmeve me nmap dhe i bllokon, perveç nese dergohet vetem 1 packet SYN ne 1 port, pra nese skanohen me shume se 3 porta (gje shume normale ne nje skamin stealth) te bllokon. SYN nuk e bllokon sepse nese do bllokonte dhe ate ne porten 80 psh do te thote te bllkonte ç'do lloj lidhjeje.
Normalisht bllokon dhe skanimet e tipit Xmas, Null, FIN, etj etj, gjithashtu eshte testuar edhe kunder --scanflags (skanime te personalizuara duke zgjedhur vet Flamurin TCP), bllokon sulmet spoofing duke ndryshuar direkt ne "core" rregullin e ndryshon ne netfilter.
Ah, diçka qe eshte prerekuizit, kerneli duhet te jete i kompiluar me supportin conntrack , ndryshe rregullat kunder nmap nuk do funksionojn.
Eshte versioni 1.1, keshtu qe do kete shume per te ndryshuar dhe shume per tu permirsuar, gjithsesi eshte goxha i konsoliduar si skript.
Ne perfundim , skripti eshte ne anglisht sepse edhe faqa eshte ne periudh tranzicioni e do kaloj ne anglisht.
Nese dikush merr inisiativen ta perkthej, faleminderit.




```
#!/bin/sh
#*****************************************************************
#AlbanianWizard Iptables Firewall Script v 1.1 [connection bug fix]
#Tested against most nmap personalised scans,
#To Do : portbunny/unicornscan/ping3 scanning [next versions]
#Author : Arditi
#License : GPLv3 
#Contact : arditi[nospam]hush.ai
#WARNINGS: You must be root to run this,  
#	   This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
#          Dont change the chain/rule-set order
#Technologies for building this mini-firewall: 
# a) Static rule based policies (not to be confused with a "static firewall")
# b) Connection based stateful policies
# c) Sanity based policies
#*****************************************************************
#Variables, please check the correct location of iptables 
#whereis iptables ; whereis ip6tables
#*****************************************************************
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
MP=/sbin/modprobe
INET=192.168.1.0/8
IF=eth0
echo $USER is setting up AW iptables firewall on $HOSTNAME 
#*****************************************************************      
#Setting up Connection Tracking Modules  
echo * [+] Setting up Connection Tracking Modules        
$MP ip_conntrack
$MP iptable_nat
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP nfnetlink_log
#*****************************************************************   
#Initial Setup
echo * [+] Setting up Chains
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
$IPT -N FLOOD_CHAIN
$IPT -N BAD_CHAIN
$IPT -N TCP_CHAIN
$IPT -N ICMP_CHAIN
$IPT -N UDP_CHAIN
$IPT -A INPUT -j FLOOD_CHAIN
$IPT -A INPUT -j BAD_CHAIN
$IPT -A INPUT -j TCP_CHAIN
$IPT -A INPUT -j ICMP_CHAIN
$IPT -A INPUT -j UDP_CHAIN
#*****************************************************************   
#Blocking IPV6 traffic
echo * [+] Blocking all IPV6 Traffic
$IPT6 -P INPUT DROP
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT DROP
#*****************************************************************   
#Setting up the Rules
echo * [+] Setting up the rules
#Good things :)
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT #Accept loopback traffic
#Bad things are normal :)
#against -sO IP Protocol Scan (for supported protocols)
$IPT -A INPUT -p sctp -j DROP
$IPT -A INPUT -p gre -j DROP
echo * [+] Setting up the FLOOD_CHAIN
#This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
#This will work for UDPTCPICMP floods sending more than 1 packet/s and also try to block nmap -sS scan.
$IPT -A FLOOD_CHAIN -i $IF -m limit --limit 6/s --limit-burst 6 -j RETURN #Accept only 6 packet/sec and we match only the first 6 packet.
$IPT -A FLOOD_CHAIN -i $IF -j LOG --log-level 7 --log-prefix "# Syn Flood #"
$IPT -A FLOOD_CHAIN -i $IF -j DROP
#***********THE BAD CHAINS *****************************************
echo * [+] Setting up the BAD_CHAIN
#$IPT -A BAD_CHAIN -p tcp ! --syn -m state --state NEW -j DROP #Force --syn packet check for NEW connections, if not DROP IT!
$IPT -A BAD_CHAIN -m conntrack --ctstate INVALID -j DROP #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
#Throw away fragmentation attacks
$IPT -A BAD_CHAIN -f -j DROP
#nmap scans not blocked by "INVALID" state
$IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,PSH -j DROP
$IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,URG -j DROP
$IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL NONE -j DROP
#Anti-spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
#******************************************************************
echo * [+] Setting up the TCP_CHAIN
#WEB-SERVER
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl 
$IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing 
$IPT -A TCP_CHAIN -p tcp -i $IF -j DROP
echo * [+] Setting up the UDP_CHAIN
#UDP_CHAIN
#$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT  if you want some DNS server
$IPT -A UDP_CHAIN -p udp -i $IF -j DROP
echo * [+] Setting up the ICMP_CHAIN
#ICMP_CHAIN
#allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged] 
$IPT -A ICMP_CHAIN -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT 
$IPT -A ICMP_CHAIN -p icmp -i $IF -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
$IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
#Logging dropping things
$IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROP: " --log-level 7

#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
#Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
#application designed for performing layer 7 application checks.
#Yes, iptalbes can do this stuff but it is to mutch resource consuming
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#print the configuration
#$IPT -nvL
```

----------


## xubuntu

ky script te duhet per ndonje server, sepse per perdorim desktop Firestarter mjafton

----------


## init-6

jo jo , eshte per kompiutera personal, une e mbaj nje httpd ne egzekutim, si dihet rruges, ta kem nje me vete..
firestarter vertet mjafton per nje desktop, por ne fund te fundit edhe ai mbi iptables ndertohet, vetem se i ndryshon rregullat jo me ane te shellit , por me ane te GUI-t si windows  :ngerdheshje: 

Skripti panvarsisht se jep te njejtat rezultate me firestarter  :buzeqeshje: , mbas nje skanimi perseri eshte ne nje version primitiv, ne ndonje version te ardhshem shpresoj te ndertoj diçka multi-layered
Disa arsye pse preferoj ta perdor mbi nje aplikacion jane:
 - Custom , sipas preferencave te mia
 - Di se ç'fare po egzekutoj
 - Shume i leht dhe shume i vogel ne krahasim me nje aplikacion te ndertuar mbi iptables [PS , firewallet si endian-firewall, ip-cop, smothwall, etj etj nuk perdorin aplikacione , perdorin pikerisht skripte] (perpiqem te mbaj nje sistem sa me te thjesht dhe minimalist)
 - Kur nuk kujtoj ndonje komand hap skriptin dhe e shoh aty  :ngerdheshje: 

Ne fund te fundit, punen e vet e ben, portat i çon te gjitha stealth, por ne realitet sulmet sot jane te tipit ssh over http, "protocol over protocol" , e per keto duhet diçka ne nivelin 7 qe te punoj me signature.. iptables edhe pse mund te ndaloj diçka te tille nuk eshte krijuar per diçka te tille..

Ti perdor firestarter?

----------


## xubuntu

> jo jo , eshte per kompiutera personal, une e mbaj nje httpd ne egzekutim, si dihet rruges, ta kem nje me vete..
> firestarter vertet mjafton per nje desktop, por ne fund te fundit edhe ai mbi iptables ndertohet, vetem se i ndryshon rregullat jo me ane te shellit , por me ane te GUI-t si windows 
> 
> Skripti panvarsisht se jep te njejtat rezultate me firestarter , mbas nje skanimi perseri eshte ne nje version primitiv, ne ndonje version te ardhshem shpresoj te ndertoj diçka multi-layered
> Disa arsye pse preferoj ta perdor mbi nje aplikacion jane:
>  - Custom , sipas preferencave te mia
>  - Di se ç'fare po egzekutoj
>  - Shume i leht dhe shume i vogel ne krahasim me nje aplikacion te ndertuar mbi iptables [PS , firewallet si endian-firewall, ip-cop, smothwall, etj etj nuk perdorin aplikacione , perdorin pikerisht skripte] (perpiqem te mbaj nje sistem sa me te thjesht dhe minimalist)
>  - Kur nuk kujtoj ndonje komand hap skriptin dhe e shoh aty 
> ...


une te Ubuntu perdor firestarter, qe sic thate dhe ju eshte thjeshte nje interface grafiche e iptables, per arsue kohe nuk i jam fut te studioj iptables

----------


## davidd

ca lodhesh kot me iptaple aman...

----------


## init-6

V 2.0



```
#!/bin/sh
#*****************************************************************
#AlbanianWizard Iptables Firewall Script v 2.0 [re-design]
#Tested against most nmap personalised scans.
#Author : Arditi
#License : GPLv3
#Contact : arditi[nospam]hush.ai
#WARNINGS: You must be root to run this,
#      This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
#          Dont change the chain/rule-set order
#Technologies for building this mini-firewall:
# a) Static rule based policies (not to be confused with a "static firewall")
# b) Connection based stateful policies
# c) Sanity based policies
#*****************************************************************
#Variables, please check the correct location of iptables
#whereis iptables ; whereis ip6tables and edit the Variables below
#*****************************************************************
IPT=/usr/sbin/iptables
IPT6=/usr/sbin/ip6tables
MP=/sbin/modprobe
IF=wlan0
echo $USER is setting up AW iptables firewall on $HOSTNAME
#*****************************************************************
#Setting up Connection Tracking Modules
echo \* [+] Setting up Connection Tracking Modules
$MP ip_conntrack
$MP iptable_nat
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP nfnetlink_log
#*****************************************************************
#Initial Setup
#*****************************************************************
echo \* [+] Setting up Chains
$IPT -F
$IPT -X
$IPT -P INPUT DROP #Set the default policy for chaing INPUT to DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
$IPT -N BAD_CHAIN     #Chain dedicated to scanning /fragmentation attacks
$IPT -N TCP_CHAIN     #Chain to define what packets we accept from TCP
$IPT -N UDP_CHAIN     #Chain to define what packets we accept from UDP
$IPT -N ICMP_CHAIN    #Chain to define what packets we accept from ICMP
#*****************************************************************
#Blocking all IPV6 traffic
echo \* [+] Blocking all IPV6 Traffic
$IPT6 -P INPUT DROP
$IPT6 -P FORWARD DROP
$IPT6 -P OUTPUT DROP
#*****************************************************************
#Setting up the Rules
echo \* [+] Setting up the rules \( accepting good things \)
#Accept already established connections.
$IPT -A INPUT -i $IF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $IF -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Other rule for UDP
$IPT -A INPUT -i $IF -p udp -m limit --limit 2/s --limit-burst 20 -j UDP_CHAIN
#Accept loopback traffic
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#####################################################################
#                      WORMING UP THE INPUT
#####################################################################
#Anti-spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
#Force --syn packet check for NEW connections, if not send it to BAD_CHAIN!
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j BAD_CHAIN
#Throw away fragmentation attacks
$IPT -A INPUT -f -j BAD_CHAIN
#Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
$IPT -A INPUT -m conntrack --ctstate INVALID -j BAD_CHAIN
#nmap scans not blocked by "INVALID" state
$IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,PSH -j BAD_CHAIN
$IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,URG -j BAD_CHAIN
$IPT -A INPUT -p tcp -i $IF --tcp-flags ALL NONE -j BAD_CHAIN
#**********************************************************************#
#                      FLOOD CHAIN REDIRECTS                           #
#This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
#This will work for UDPTCPICMP floods sending more than 5 packet/s and also try to block nmap -sS scan.
$IPT -A INPUT -i $IF -p tcp -m limit --limit 1/s --limit-burst 1  -j TCP_CHAIN
$IPT -A INPUT -i $IF -p icmp -m limit --limit 1/s --limit-burst 1 -j ICMP_CHAIN
#Accept only 5 packet/sec and we match only the first 5 packet.
#########################################################################
#                    BAD CHAIN                  #
#########################################################################
$IPT -A BAD_CHAIN -i $IF -j LOG --log-level info --log-prefix "# Bad Packets #"
$IPT -A BAD_CHAIN -i $IF -j DROP
#******************************************************************
echo \* [+] Setting up the TCP_CHAIN
#WEB-SERVER
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
$IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl
$IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing
$IPT -A TCP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# TCP_CHAIN BLOCKED PACKET #"
$IPT -A TCP_CHAIN -i $IF -j DROP
echo \* [+] Setting up the UDP_CHAIN
#UDP_CHAIN
#$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT  if you want some DNS server
$IPT -A UDP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# UDP DROPPED #"
$IPT -A UDP_CHAIN -p udp -i $IF -j DROP
echo \* [+] Setting up the ICMP_CHAIN
#ICMP_CHAIN
#allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged]
#$IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT (allow others to ping you)
$IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT #allow ping from you to others
$IPT -A ICMP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# ICMP BAD PACKET #"
$IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
#Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
#application designed for performing layer 7 application checks.
#Yes, iptalbes can do this stuff but it is to mutch resource consuming
#°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
#print the configuration
#$IPT -nvL
```

Permiresimet:

*U rregullua problemi ne design i filtrimit te paketave ne baze te shpejtesis per bllokimin e sulmeve flood.
* U aplikuan opcione mbrojtese kunder pjeses me derrmuese te port-scanimeve, dhe edhe nese skanohet me paketa normale syn ky firewall arrin ta fshehi porten edhe nese ajo eshte e hapur.

SI?

=> Ja si funksionon:
Nese dikush, kryen nje skanim -sS me nmap (pra klasiku SYN Scan) do te filloj te dergoj shume paketa per sekond dhe normalisht do te kontrolloj portat ne seri (1-1000) ose portat me te perdorura.
Menjeher do te hyj ne fuqi rregulli --limit dhe --limit-burst i cili do te pranoj vetem paketen e pare dhe do te refuzoj (sdo pergjigjet) per te tjerat.
Pra edhe nese ne realitet porta psh 80 eshte e hapur skanimi do jete ne conntrack dhe do ti behet DROP.
Po atehere si do te jete sereveri im ( po e zem) online?
Normalisht, nje lidhje standarte do te ishte 1 paket syn => dpt 80, dhe kjo nuk do te bllokohej  :buzeqeshje: 

*Eshte shtuar opcioni per te loguar te gjitha paketat e bllokuara.

Opcione te tjera si mbaj mend, ka qene ora 2 e nates kur u perfundua.
Eshte i testuar, funksionon per se mbari  :shkelje syri: 

Enjoy , dhe raportoni bug tek homepage.

----------


## xubuntu

> V 2.0
> 
> 
> 
> ```
> #!/bin/sh
> #*****************************************************************
> #AlbanianWizard Iptables Firewall Script v 2.0 [re-design]
> #Tested against most nmap personalised scans.
> ...


nese dua te hap porten 22 mjafton komanda 

```
iptables -A TCP_CHAIN  -p tcp  -i $IF --dport 22  -s 192.168.0.100 -j ACCEPT
```

----------


## init-6

> nese dua te hap porten 22 mjafton komanda 
> 
> ```
> iptables -A TCP_CHAIN  -p tcp  -i $IF --dport 22  -s 192.168.0.100 -j ACCEPT
> ```


Sakt, por do keshilloja edhe nje --state , sepse mund te ndodhnin edhe bypase me skanera dhe opcione te ndryshme te portbunney etj..
Ne rrjetin lokal nuk do ishte problem, se po shoh -s 192.168.0.100, dhe kjo eshte filozofia qe ndiqet ne pergjithesi ne ndertimin e firewalleve, pra bllokohet ç'do gje dhe lihet hapur vetem e domosdoshmja.

Nese ke servera me IP publike, nuk eshte absolutisht e keshillueshm te lesh porten 22 te hapur,  (zakonisht exploitet per openssh mbahen gjithmon private, perveç ndonjerit qe ka rm -rf /*  :shkelje syri:  ne shellcode ) keshtu qe :
a) Ndrysho porten psh 1583
b) http://www.zeroflux.org/projects/knock

E zgjedh ti si ta konfigurosh, pastaj i dergon disa paketa ne porta qe i cakton (i jep shenje serverit) dhe ai pastaj hap porten per ty.

Perdoret nga shumica e kompanive qe merren me firewalle linux.

----------

