#!/bin/sh ############################################################################## # # firewall.sh - simple firewall script to lockdown iptables # # v1.1 - Bruce A. Westbrook - April 25, 2006 - added Oracle ports # v1.0 - Bruce A. Westbrook - April 18, 2006 - initial release # # # Quick Notes: # -i Interface that should be filtered # -p Protocol (see /etc/protocols) # -s Source IP address # -d Destination IP address # -m Match -- commonly match on protocol, state or both # -j Jump -- what to do if a packet matches a rule # --dport Destination Port # --sport Source Port # --state Packet State -- INVALID, ESTABLISHED, NEW or RELATED # # iptables -L --line Shows line numbers of rules # ipables -I INPUT "chain_number" "new_rule" Insert new rule # iptables -R INPUT "chain_number" "new_rule" Replace a rule # iptables -A INPUT "new_rule" Add a rule at the end # # cat /etc/sysconfig/iptables See the effective rules on a reboot # # NOTE: # After updating this file on a Windows box, # copy the file to a Linux box and issue the # following two commands: # dos2unix firewall.sh # chmod +x firewall.sh # ############################################################################## clear sel= dialog \ --title "Begin Building iptables" \ --backtitle "Firewall Script - Bruce A. Westbrook" \ --defaultno \ --yesno "This script will backup and delete ALL of your current \ iptables settings before applying a simple iptables. \ Are you sure you want to continue?" 7 60 sel=$? case $sel in 0) echo "Script running...";; 1) echo "Skipping script - no changes were made."; exit 0;; 255) echo "[ESC] key pressed. Skipping script - no changes were made."; exit 0;; esac ## Save the current iptables from memory iptables -L > ./iptables_memory.orig ## Save the current iptables from file cp /etc/sysconfig/iptables ./iptables.orig ## Save the last iptables save from file cp /etc/sysconfig/iptables.save ./iptables.save.orig ## Flush iptables from memory iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t mangle iptables -F -t nat iptables -X iptables -Z ## Define our three chains and their default actions, ## dropping all incoming packets and allowing all outgoing packets iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ## Allow packets that originate from our loopback interface iptables -A INPUT -i lo -j ACCEPT ## Allow packets from established connections iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT ## Allow ICMP packets iptables -A INPUT -p ICMP -j ACCEPT ## SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT ## Webmin clear sel= dialog \ --defaultno \ --yesno "Do you want to enable WEBMIN access on TCP port 10000?" 7 60 sel=$? case $sel in 0) echo "Added WEBMIN port 10000..."; iptables -A INPUT -p tcp --dport 10000 -j ACCEPT;; 1) echo "Skipping WEBMIN";; 255) echo "OOPS!!! Please select either 'y' or 'n'";read;; esac ## Logicalis clear sel= dialog \ --defaultno \ --yesno "Do you want to enable remote Logicalis monitoring?" 7 60 sel=$? case $sel in 0) echo "Adding Logicalis monitoring ports..."; chkconfig --add snmpd; chkconfig --level 2345 snmpd on; iptables -A INPUT -s 63.210.254.0/24 -p tcp --dport 135 -j ACCEPT; iptables -A INPUT -s 63.210.254.0/24 -p udp --dport 161 -j ACCEPT; iptables -A INPUT -s 63.210.254.0/24 -p tcp --dport 381 -j ACCEPT; iptables -A INPUT -s 63.210.254.0/24 -p tcp --dport 383 -j ACCEPT; iptables -A INPUT -s 63.210.254.0/24 -p tcp --dport 11001 -j ACCEPT; iptables -A INPUT -s 63.210.254.0/24 -p tcp --dport 11002 -j ACCEPT; iptables -A INPUT -s 63.210.254.0/24 -p tcp --dport 11099 -j ACCEPT;; 1) echo "Skipping Logicalis monitoring ports";; 255) echo "[ESC] key pressed - skipping";; esac ## HTTP 80 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable HTTP access on port 80?" 7 60 sel=$? case $sel in 0) echo "Adding HTTP port 80..."; iptables -A INPUT -p tcp --dport 80 -j ACCEPT;; 1) echo "Skipping HTTP 80";; 255) echo "[ESC] key pressed - skipping";; esac ## HTTPS 443 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable HTTPS access on port 443?" 7 60 sel=$? case $sel in 0) echo "Adding HTTPS port 443..."; iptables -A INPUT -p tcp --dport 443 -j ACCEPT;; 1) echo "Skipping HTTPS 443";; 255) echo "[ESC] key pressed - skipping";; esac ## HTTP 8080 (Tomcat) clear sel= dialog \ --defaultno \ --yesno "Do you want to enable HTTP access on port 8080 (Tomcat)?" 7 60 sel=$? case $sel in 0) echo "Adding HTTP port 8080..."; iptables -A INPUT -p tcp --dport 8080 -j ACCEPT;; 1) echo "Skipping HTTP 8080";; 255) echo "[ESC] key pressed - skipping";; esac ## HTTPS 8443 (Tomcat) clear sel= dialog \ --defaultno \ --yesno "Do you want to enable HTTPS access on port 8443 (Tomcat)?" 7 60 sel=$? case $sel in 0) echo "Adding HTTPS port 8443..."; iptables -A INPUT -p tcp --dport 8443 -j ACCEPT;; 1) echo "Skipping HTTP 8443";; 255) echo "[ESC] key pressed - skipping";; esac ## MySQL 3306 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable remote MySQL access on port 3306?" 7 60 sel=$? case $sel in 0) echo "Adding MySQL port 3306..."; iptables -A INPUT -p tcp --dport 3306 -j ACCEPT;; 1) echo "Skipping MySQL 3306";; 255) echo "[ESC] key pressed - skipping";; esac ## Oracle Net Listener / Enterprise Manager 1521/1526 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable remote Oracle access on default ports 1521 and 1526?" 7 60 sel=$? case $sel in 0) echo "Adding Oracle port 1521/1526..."; iptables -A INPUT -p tcp --dport 1521 -j ACCEPT; iptables -A INPUT -p tcp --dport 1526 -j ACCEPT;; 1) echo "Skipping Oracle 1521/1526";; 255) echo "[ESC] key pressed - skipping";; esac ## Oracle iSQLPlus 5560 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable remote Oracle iSQLPlus access on port 5560?" 7 60 sel=$? case $sel in 0) echo "Adding Oracle port 5560..."; iptables -A INPUT -p tcp --dport 5560 -j ACCEPT;; 1) echo "Skipping Oracle 5560";; 255) echo "[ESC] key pressed - skipping";; esac ## Oracle DBConsole 1158 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable remote Oracle dbconsole access on port 1158?" 7 60 sel=$? case $sel in 0) echo "Adding Oracle port 1158..."; iptables -A INPUT -p tcp --dport 1158 -j ACCEPT;; 1) echo "Skipping Oracle 1158";; 255) echo "[ESC] key pressed - skipping";; esac ## Oracle DBControl Agent 3938 clear sel= dialog \ --defaultno \ --yesno "Do you want to enable remote Oracle dbcontrol agent access on port 3938?" 7 60 sel=$? case $sel in 0) echo "Adding Oracle port 3938..."; iptables -A INPUT -p tcp --dport 3938 -j ACCEPT;; 1) echo "Skipping Oracle 3938";; 255) echo "[ESC] key pressed - skipping";; esac ## Drop all remaining packets that don't match any rules iptables -A INPUT -j DROP ## Save our configuration service iptables save service iptables restart iptables -L > fw_NEW.txt clear cat /etc/sysconfig/iptables