#!/bin/sh
# Filename: rc.firewall
# Date: 8-16-2006
# Author: Rob Flickenger
# Reference: Linux Server Hacks, Hack #45 "Creating a Firewall from the Command
# Line of any Server"
# Modified: Richard Scott Smith
# Date: 3-1-2007
# Date: 3-20-2007
# Date: 3-24-2007
#
# A simple firewall initialization script
#
WHITELIST=/usr/local/etc/whitelist.txt
BLACKLIST=/usr/local/etc/blacklist.txt

# List of ports to open
ALLOWED="8 10 21 22 25 37 80 88 110 113 139 143 443 445 515 587 3306 8009 8080 8888"

# Ports that are limited from a given ip address per time.  These can be 
# aliased in /etc/services.
LIMITED=ftp,ssh,pop3

# Hit count, the number of times connections can be made from a given 
# ip address.
HIT_COUNT=6

# Interval, the time period limit for hits and blocking time in seconds.
HIT_INTERVAL=600

# Toggle logging, on/off
LOGGING=off

#
# Drop all existing filter rules
#
iptables -F

#
# First, run through $WHITELIST, accepting all traffic from the hosts and networks
# contained therein.
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do 
echo "Permitting $x..."
if [ $LOGGING = "on" ] 
then
  iptables -A INPUT -t filter -s $x -j LOG --log-level info \
    --log-prefix "Accepted: "
fi
iptables -A INPUT -t filter -s $x -j ACCEPT
done

# Started using on 3-1-2007, 18:47pm
# Moved, so it's after the whitelist on 3-18-2007, 10:44pm
# Added the $LIMITED variable and multiport so that I could add pop3
# and others in the future using the variable above.
# This is adapted from http://mwolf.net/archive/iptables-against-ssh/
echo
echo "Blocking script attacks..."
echo "Limit" `expr $HIT_COUNT - 1` "connections to $LIMITED in a $HIT_INTERVAL second period."
echo "$HIT_COUNT connection attempts causes blocking."
echo "Blocking ends after $HIT_INTERVAL seconds of no connection attempts."
echo
iptables -A INPUT \
  -p tcp -m multiport --destination-ports $LIMITED \
  -m state --state NEW \
  -m recent --set --name SCRIPT_ATTACKS \
  -j ACCEPT
iptables -A INPUT \
  -p tcp -m multiport --destination-ports $LIMITED \
  -m recent --update --seconds $HIT_INTERVAL --hitcount $HIT_COUNT --rttl --name SCRIPT_ATTACKS \
  -j DROP

#
# Now run through $BLACKLIST, dropping all traffic from the hosts and networks
# contained therein.
#
for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do 
echo "Blocking $x..."
if [ $LOGGING = "on" ] 
then
  iptables -A INPUT -t filter -s $x -j LOG --log-level info \
    --log-prefix "Blacklist Dropped: "
fi
iptables -A INPUT -t filter -s $x -j DROP
done

#
# Next, the permitted ports: What will we accept from hosts not appearing 
# on the blacklist?
#
for port in $ALLOWED; do 
echo "Accepting port $port..."
if [ $LOGGING = "on" ] 
then
  iptables -A INPUT -t filter -p tcp --dport $port -j LOG --log-level info \
    --log-prefix "Accepted: "
fi
iptables -A INPUT -t filter -p tcp --dport $port -j ACCEPT
done

#
# Finally, unless it's mentioned above, and it's an inbound startup request,
# just drop it.
#
# Note: This makes things like nmap have to be executed in -P0 mode.  The host 
# will not respond to pings.  This makes nmap *much* slower which is good for
# people who are looking for something easy to attack.  The person will get
# an error like this: ping: icmp open socket: Operation not permitted
#
if [ $LOGGING = "on" ] 
then
  iptables -A INPUT -t filter -p tcp --syn -j LOG --log-level info \
    --log-prefix "SYN Dropped: "
fi
iptables -A INPUT -t filter -p tcp --syn -j DROP