Langsung aj copy script berikut
#### IPTABLES V1.1 by ariecc 21-03-2012 #### #!/bin/sh IPT=/sbin/iptables ### Port Standar ### ### Add Number If Want to Allow ### REG_PORTS="22,110,443,995,587,143,3306" $IPT -F ### Policies (Aturan Default) ## DROP ALL Conecction in INPUT FORWARD OUTPUT $IPT -P OUTPUT DROP $IPT -P INPUT DROP $IPT -P FORWARD DROP # NEW CHAIN to Block Port Scanner dan Paket Tak Beraturan $IPT -N MY_DROP $IPT -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP" $IPT -A MY_DROP -j DROP $IPT -N LOGGING # Allow Respone $IPT -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ### Input Chain ## Allow From Loopback $IPT -A INPUT -i lo -j ACCEPT ## Prevent DOS Attack | Monitored $IPT -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ## Improve v1.1 $IPT -A INPUT -p tcp -m multiport --dports $REG_PORTS -j ACCEPT $IPT -A INPUT -p udp -m multiport --dports $REG_PORTS -j ACCEPT $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP $IPT -A INPUT -j LOGGING $IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "INPUT|Packet Dropped: " --log-level 7 $IPT -A LOGGING -j DROP ### Forward Chain ## Accept ESTABLISHED,RELATED $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ## Prevent DOS Attack | Monitored $IPT -A FORWARD -p udp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT ## Improve v1.1 $IPT -A FORWARD -p tcp -m multiport --dports $REG_PORTS -j ACCEPT $IPT -A FORWARD -p udp -m multiport --dports $REG_PORTS -j ACCEPT # Allow DNS $IPT -A FORWARD -p tcp --dport 53 -j ACCEPT $IPT -A FORWARD -p udp --dport 53 -j ACCEPT $IPT -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP $IPT -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP $IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT ### Output Chain ## Accept ESTABLISHED,RELATED $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT ## Allow to Chain Output $IPT -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ## Allow Server to DNS Server $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT # Allow Port Tertentu dan PING $IPT -A OUTPUT -p tcp -m multiport --sports $REG_PORTS -j ACCEPT $IPT -A OUTPUT -p udp -m multiport --sports $REG_PORTS -j ACCEPT $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
Simpan dengan file .sh dan set permisionnya
nano myfw.sh chmod 755 myfw.sh
Agar dapat berjalan setiap kali booting
nano /etc/rc.local sh /root/myfw.sh
0 komentar:
Posting Komentar