Arma tu propio firewall en Linux

#!/bin/env bash
# -- UTF 8 --
# This script works better on Archlinux. It was made on Archlinux, so if you found something stranger, you've been warned

# Some common variables
# Where are these programs??
iptables="$(which iptables)"
modprobe="$(which modprobe)"
awk="$(which awk)"
cut="$(which cut)"
ip="$(which ip)"

# Other variables
input="$iptables -A INPUT"
output="$iptables -A OUTPUT"
forward="$iptables -A FORWARD"
funfact="$input"
ok="-j ACCEPT"
drop="-j DROP"
log="-j LOG --log-prefix"
asculta_radio_port="9744"
red_net="$($ip route | $awk '/dev.*proto/{print $NE; exit}' | $cut -d ' ' -f1)"
active_face="$($ip addr show | $awk '/inet.*brd/{print $NF; exit}')"
internal_ip="$($ip addr show $active_face | grep "inet\b" | $awk '{print $2}' | $cut -d/ -f1)"
N3ds_client="192.168.10.42/24"
N3ds_port="5000"
spoof_ips="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"

# Load these modules to allow better analyze and LOG

$modprobe nf_conntrack
$modprobe nf_conntrack_ftp
$modprobe xt_conntrack
$modprobe xt_LOG
$modprobe xt_state

# Clear the tables or existent rules on 'em
$iptables -X
$iptables -Z
$iptables -t nat -F

# Other rules that needs to be flushed
$iptables -F
$iptables -t nat -X
$iptables -t raw -F
$iptables -t raw -X
$iptables -t security -F
$iptables -t security -X
$iptables -t mangle -F
$iptables -t mangle -X

# By default the politicy'll be DROP
# FILTER
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP

# Allow everythings on localhost
$input -i lo $ok -m comment --comment "Local HOST"
$output -o lo $ok -m comment --comment "Local HOST"
#$forward ! -i $inside_net -m conntrack --ctstate NEW $ok

# Allow pdnsd works

$input -p udp -m udp --sport domain -m conntrack --ctstate ESTABLISHED,RELATED $ok -m comment --comment "dns port (53)"
$output -p udp -m udp --dport domain -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "dns port (53)"

# Allow access from all subnet
$input -p tcp -s $red_net $ok -m comment --comment="subnet access"
$output -p tcp -s $red_net $ok -m comment --comment="subnet_access"


# Theses rules allow to go to the Internet
$input -p tcp -m tcp --sport http -m conntrack --ctstate ESTABLISHED $ok -m comment --comment "http insecure (80) port"
$output -p tcp -m tcp --dport http -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "http insecure (80) port"

$input -p tcp -m tcp --sport https -m conntrack --ctstate ESTABLISHED $ok -m comment --comment "https secure (443) port"
$output -p tcp -m tcp --dport https -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "https secure (443) port"

# Allow to upload CIA's to 3DS system
$output -p tcp -m tcp --dport $N3ds_port -s $N3ds_client -m conntrack --ctstate ESTABLISHED $log "N3DS is Working now-OUT: " --log-level 7
$output -p tcp -m tcp --dport $N3ds_port -s $N3ds_client -m conntrack --ctstate ESTABLISHED $ok -m comment --comment "3DS FBI port"
$input -p tcp -m tcp --sport $N3ds_port -s $N3ds_client -m conntrack --ctstate NEW,ESTABLISHED $log "N3DS is Working now-IN: " --log-level 7
$input -p tcp -m tcp --sport $N3ds_port -s $N3ds_client -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "3DS FBI port"


# Allow streaming from internet
# Asculta RadioLive.ro
$input -p tcp -m tcp --sport $asculta_radio_port -m conntrack --ctstate ESTABLISHED $ok -m comment --comment "Asculta Radio Live"
$output -p tcp -m tcp --dport $asculta_radio_port -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "Asculta Radio Live"

# Allow outgoing connections ssh standard port
$output -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "ssh standard (22) port"
$input -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED $ok -m comment --comment "ssh standard (22) port"

# To enable, uncomment it
#Allow incoming connections ssh standard port
#$input -p tcp --sport ssh -m conntrack --ctstate NEW,ESTABLISHED $ok
#$output -p tcp --dport ssh -m conntrack --ctstate ESTABLISHED $ok

# Allow to incoming connections through git standar port
$input -p tcp --sport git -m conntrack --ctstate ESTABLISHED $ok -m comment --comment "git standard (9418) port"
$output -p tcp --dport git -m conntrack --ctstate NEW,ESTABLISHED $ok -m comment --comment "git standard (9418) port"

# Allow ping from out and inside of computer
$output -p icmp -m conntrack  --ctstate NEW,ESTABLISHED,RELATED $ok
$input -p icmp -m conntrack --ctstate ESTABLISHED,RELATED $ok

#Other harderning
# Force SYN packets check
#$input -p tcp ! --syn -m conntrack --ctstate NEW $drop
$input -p tcp -m conntrack --ctstate NEW ! --syn $log "state test" -m comment --comment "state test"
$input -p tcp -m conntrack --ctstate NEW ! --syn $drop -m comment --comment "Force SYN packets check"


#Force Fragments packets check
$input -f $drop

#Anti-MiM
# Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks
#From WAN
$input -i $active_face -s $internal_ip $drop
$output -o $active_face -s $internal_ip $drop

#From LAN
$input -i $active_face -s $red_net $drop
$output -o $active_face -s $red_net $drop

# Drop all spoofed_ips
for ip in $spoof_ips
do
   $input -i $active_face -s $ip $drop -m comment --comment "getout spoof_ips"
   $output -o $active_face -s $ip $drop -m comment --comment "getout spoof_ips"
done

# Anti-flooding o inundación de tramas SYN-FLOOD.
$iptables -N syn-flood
$iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
$iptables -A syn-flood $log "SYN flood: "
$iptables -A syn-flood $drop

# FunFACTs!! excuse me Sheldon
$funfact -p TCP -m conntrack --ctstate RELATED,ESTABLISHED $ok
$funfact -p UDP -m conntrack --ctstate RELATED,ESTABLISHED $ok
$funfact -p ICMP -m conntrack --ctstate RELATED,ESTABLISHED $ok
$funfact -m conntrack --ctstate INVALID -j REJECT
$funfact -p tcp --tcp-flags ACK,FIN FIN $log "FIN: "
$funfact -p tcp --tcp-flags ACK,FIN FIN -j REJECT
$funfact -p tcp --tcp-flags ACK,PSH PSH $log "PSH: "
$funfact -p tcp --tcp-flags ACK,PSH PSH -j REJECT
$funfact -p tcp --tcp-flags ACK,URG URG $log "URG: "
$funfact -p tcp --tcp-flags ACK,URG URG -j REJECT
$funfact -p tcp --tcp-flags ALL ALL $log "XMAS scan: "
$funfact -p tcp --tcp-flags ALL ALL -j REJECT
$funfact -p tcp --tcp-flags ALL NONE $log "NULL scan: "
$funfact -p tcp --tcp-flags ALL NONE -j REJECT
$funfact -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG $log "pscan: "
$funfact -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
$funfact -p tcp --tcp-flags SYN,FIN SYN,FIN $log "pscan 2: "
$funfact -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
$funfact -p tcp --tcp-flags FIN,RST FIN,RST $log "pscan 2: "
$funfact -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT
$funfact -p tcp --tcp-flags ALL SYN,FIN $log "SYNFIN-SCAN: "
$funfact -p tcp --tcp-flags ALL SYN,FIN -j REJECT
$funfact -p tcp --tcp-flags ALL URG,PSH,FIN $log "NMAP-XMAS-SCAN: "
$funfact -p tcp --tcp-flags ALL URG,PSH,FIN -j REJECT
$funfact -p tcp --tcp-flags ALL FIN $log "FIN-SCAN: "
$funfact -p tcp --tcp-flags ALL FIN -j REJECT
$funfact -p tcp --tcp-flags ALL URG,PSH,SYN,FIN $log "NMAP-ID: "
$funfact -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j REJECT
$funfact -p tcp --tcp-flags SYN,RST SYN,RST $log "SYN-RST: "

# For debugging, use e.g.:
# * tcpdump, to see the packets - run tcpdump on the PCs involved.
# * iptables rate-limited logging, to gain insight into how the iptables rules are working. E.g.:

$input -m limit --limit 10/min --limit-burst 10 $log "rate-limited attempt: " --log-level warning

##prevent UDP flooding general
$iptables -N udp-flood
$iptables -A OUTPUT -p udp -j udp-flood
$iptables -A udp-flood -p udp -m limit --limit 50/s --limit-burst 4 -j RETURN
$iptables -A udp-flood $log 'UDP-flood attempt: ' --log-level 4
$iptables -A udp-flood $drop

# Blocking DNS Amplification attacks
# Use the string module of iptables to block all packets that contain isc.org and ripe.
$input -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 $drop
$input -p udp -m udp --dport 53 -m limit --limit 5/sec $log "fw-dns " --log-level 7

##prevent amplification attack
$iptables -N DNSAMPLY
$iptables -A DNSAMPLY -p udp -m state --state NEW -m udp --dport 53 $ok
$iptables -A DNSAMPLY -p udp -m hashlimit --hashlimit-srcmask 24 --hashlimit-mode srcip --hashlimit-upto 30/m --hashlimit-burst 10 --hashlimit-name DNSTHROTTLE --dport 53 $ok
$iptables -A DNSAMPLY -p udp -m udp --dport 53 $drop

# log before DROP
$input $log "IP: INPUT drop: "  -m limit --limit 12/min --log-level 4
$output  $drop
$input $log "IP: OUTPUT drop: "  -m limit --limit 12/min --log-level 4
$output $drop
$input $log "IP: FORWARD drop: " -m limit --limit 12/min --log-level 4
$output $drop

# log after DROP
$input $log "FIREWALL:INPUT "
$output $log "FIREWALL: OUTPUT "
$forward $log "FIREWALL: FORWARD "

# Close all foreing people
$input -s 0/0 -d 0/0 -p udp $drop
$input -s 0/0 -d 0/0 -p tcp --syn $drop

# Seeya!