This script is working on all Linux standard distribution, but use at your own risk! The script has been made to automated the creation of iptables rules. There is an easy to use menu as well

&160;

&160;

&160;

&160;

root:~# ./firewall.sh
 Firewall script by www.waltercedric.com
  Credits to all various authors - GNU/GPL 3.0 Script
  Choose one of the following options:

[N]ew firewall rules
[C]lear all firewall rules
[T]est firewall rules
[S]ave firewall rules to /etc/network/iptables
[E]xit

Features

  • Use iptables
  • Allow or disallow most services (dns, http, ftp, smtp, icmp, ntp, ssh …),
  • Protect ssh against too many login attempt in a timeframe,
  • Protect ssh and allow only one ip to use that services,
  • Harden the webserver by dropping illegal http packets,
  • Easy to read and extend script written in bash,
  • GNU/GPL 3.0 Script,
  • To use it, just edit the file firewall.sh and change the variables.

    IPT="/sbin/iptables" ########## Interfaces ########################################## PUB_IF="eth0" # public interface LO_IF="lo" # loopback SERVER_IP=$(ifconfig eth0 | grep 'inet addr:' |
    &160;&160;&160;&160;&160;&160;&160;&160;&160; awk -F'inet addr:' '{ print $2}' | awk '{ print $1}') ########## Allow/block services ################################ ALLOW_SSH="true" ALLOW_HTTP="true" ALLOW_FTP="false" ALLOW_OUTGOING_NTP="true" ALLOW_OUTGOING_SMTP="true" ALLOW_INCOMING_ICMP="true" USE_HARDENING_RULESET="true"

    ########## SSH ################################################# SSH_PORT=22 # This notes every NEW connection to port ${SSH_PORT} and adds it to the recent "list" # If your IP is on the recent list, and you have ${SSH_LOGIN_ATTEMPT}
    # or more entries on the list in the # last ${SSH_LOGIN_ATTEMPT_TIMEFRAME} seconds, we drop your request. SSH_LOGIN_ATTEMPT_PROTECTION="true" SSH_LOGIN_ATTEMPT=4 SSH_LOGIN_ATTEMPT_TIMEFRAME_SECONDS=90 SSH_ALLOW_ONLY_IP="false" SSH_ALLOW_ONLY_IP_LIST="122.xx.yy.zz/29" #### FILES ##### BLOCKED_IP_TDB=/root/.fw/blocked.ip.txt SPOOFIP=""

    The file is available as a Gist https://gist.github.com/1690823

    comments powered by Disqus

    You might like also

    How to Mount and Use an exFAT Drive on Linux
    Try connecting an exFAT-formatted drive without installing the required software and you’ll often see “Unable to mount” error message saying “unknown file system type: ‘exfat’.” Even (still) with the latest Linux Ubuntu 17.10, the same cryptic error is displayed. Searching in Ubuntu Software for exFat return nothing. Damn! normal users are lost and go back to Windows / MacOS. My next move was to google for a response, which I found of course: sudo apt-get install exfat-fuse exfat-utils If Linux want to get more desktop …
    453 Days ago
    Running an Ethereum Node with Docker
    Docker is a powerful tool for managing containers and run-time environments and, besides its many advantages, Docker can also be handy to keep your server tidy and secure. Docker allows to run operating systems, applications and tools in so called Containers. A Container is an isolated environments that represents a autonomous host on its own – a bit in the same way a Virtual Machine does. Yet, Docker Containers are much lighter. They do not start an entire full-blown operating system …
    704 Days ago
    A cheap GPS for your Raspberry PI
    Old i-gotu (i-gotU) gt-200e/gt-120 gps receiver work with the raspberry pi just fine! breathing a new life in this 5 years old device. You'll find a lot on eBay cheap for sale i-gotU is a GPS Logger and Receiver 2-in-1 device including user-friendly Travel Blog Software. i-gotU records trip routes, Auto-adds photo GPS locations, creates an animated trip journal that brings back live trip memory by plotting the route and playing back the photos / YouTube videos with the exact location on …
    704 Days ago
    Java Networking and Proxies with HTTPS
    In today's networking environments, particularly corporate ones, application developers have to deal with proxies almost as often as system administrators. In some cases the application should use the system default settings, in other cases it will we want to have a very tight control over what goes through which proxy, and, somewhere in the middle, most applications will be happy to delegate the decision to their users by providing them with a GUI to set the proxy settings, as is …
    704 Days ago
    How to live patch Ubuntu Linux Kernel without rebooting the server
    Kernel live patching enables runtime correction of critical security issues in running kernel without rebooting. How do I enable or patch my Ubuntu Linux 16.04 LTS server without rebooting the box?Ubuntu Linux version 16.04 LTS supports live patching for both enterprise and the Ubuntu community members. The Canonical Livepatch Service is an authenticated, encrypted, signed stream of livepatch kernel modules for Ubuntu servers, virtual machines and desktops. On 20th October, 2016 Canonical officially announced the support for no reboot kernel …
    704 Days ago
    OpenHAB on rapsberry PI 3 using Z-Wave and Fibaro Sensor
    WORK IN PROGRESS, only some notes for now Hardware    Rapsberry PI 3 with Linux openHABianPi 4.4.0-1-rpi2 1 SMP Debian 4.4.6-1+rpi14 (2016-05-05) armv7l GNU/Linux OpenHAB 2.0.0-1 (Release Build) on /dev/ttyACM0 Latest Aeotec Gen5 USB Aeotec’s Z-Stick packs all the tools you need to create and manage a Z-Wave network all within one USB stick. Use the Z-Stick to create your Z-Wave network, use it to add up to 232 Z-Wave devices, and then use it to control them. Fibaro FGMS001-001 …
    711 Days ago
    Ambient Noise for Ubuntu 16.10 yakkety
    Ambient Noise (http://anoise.tuxfamily.org) Player for Ubuntu Plays Relaxing Sounds to Keep You Creative.   In previous Ubuntu version, just open a shell and run sudo add-apt-repository ppa:costales/anoise sudo apt-get update sudo apt-get install anoise Fixing Ambient Noise for Ubuntu 16.10 require for now to compile from source the application. Run these commands into a shell, first installing dependencies: sudo apt-get install bzr gir1.2-gstreamer-1.0 python-gst-1.0 gir1.2-gtk-3.0 python-distutils-extra gir1.2-webkit-3.0 The sound indicator: bzr branch lp:anoise cd anoise sudo python setup.py install --prefix=/usr The sounds: bzr branch lp:~costales/anoise/media …
    735 Days ago
    No Thumbnail was found
    DevOps is a movement that advocates a collaborative working relationship between Development and IT Operations, where historically they have been separated. Development teams want to launch features fast and frequently while IT Ops wants to maintain infrastructure stability and availability – which means as little changes as possible. Customers want both. 3 key DevOps principles to apply to your IT team  http://blogs.atlassian.com/2015/09/3-key-devops-principles-apply-team/  Software Architecture in DevOps  https://dzone.com/articles/software-architecture-devops  Does DevOps Reduce Technical Debt--or Make it Worse? https://dzone.com/articles/does-devops-reduce-technical-0   Love DevOps? Wait …
    1208 Days ago
    Linux Compromised server checks checklist
    An exploited or hacked server is one that is no longer fully under your control and someone else is now partially using your server for their own purposes. You’ll find in this mind map What bad guys can do and remedies Why a mind map? A mind map is a diagram used to visually outline information. mind map help you take notes, brainstorm complex problems, and think creatively. Information are summarized efficiently to be usable and accessible, Inter-relationships are clear …
    1959 Days ago
    VIM Cheat Sheet
    Essential for any advanced Linux users or Linux sys-admin The color coded Legend / Keys helps provide guidance for your experience level. Green = Essential Yellow = Basic Orange / Blue = Advanced Red = Expert Links One designed for on-screen reading: PDF (Excel 2011 source), One designed for hard-copy reading: PDF (Excel 2011 source), One designed for monochrome printing: PDF (Excel 2011 source), and One designed …
    2007 Days ago