init III

LinuxServerTools/iptables/dagobert_firewall.sh

@@ -0,0 +1,186 @@
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides:          firewall_rules
+# Required-Start:    $local_fs $remote_fs $network
+# Required-Stop:     $local_fs $remote_fs $network
+# Should-Start:      
+# Should-Stop:       
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: agadmin firewall rules
+### END INIT INFO
+
+ACTION=$1
+
+TLD="cn iq ir kp ru tr tw"
+
+URL="http://www.ipdeny.com/ipblocks/data/countries/"
+INPUT="INPUT"
+OUTPUT="OUTPUT"
+PIDDIR="/var/run"
+
+function block_country_chains {
+  if [ "$1" == "STOP" ]; then
+    for Z in `iptables -S | grep -E '^-N' | grep ".ct.chain" | awk '{print $2;}'`
+    do
+      iptables -D $INPUT -j $Z
+      iptables -F $Z
+      iptables -X $Z
+    done
+    return
+  fi
+  cd /tmp
+  # chains bilden und in INPUT chain einbinden
+  for C in $TLD
+  do
+    iptables -N $C.ct.chain
+    iptables -A $INPUT -j $C.ct.chain
+  done
+
+  sleep 10
+  for C in $TLD
+  do
+    wget $URL$C.zone > /dev/null 2>&1
+  done
+  
+  for C in $TLD
+  do
+    for IP in `cat $C.zone`
+    do
+      iptables -A $C.ct.chain -s $IP -j DROP > /dev/null 2>&1
+    done
+  done
+}
+
+function services_chain {
+  if [ "$1" == "STOP" ]; then
+    iptables -D $INPUT -j SERVICES.chain
+    iptables -F SERVICES.chain
+    iptables -X SERVICES.chain
+    return
+  fi
+  SERVICES="993 995 587 465 25 143 110 443 80 53 389"
+  iptables -N SERVICES.chain
+  for PORT in $SERVICES; do
+    iptables -A SERVICES.chain  -p tcp --dport "$PORT" -j ACCEPT
+  done  
+  iptables -A SERVICES.chain -p udp --dport 53  -j ACCEPT
+  iptables -A $INPUT -j SERVICES.chain
+}
+
+function admin_chain {
+  if [ "$1" == "STOP" ]; then
+    iptables -D $INPUT -j ADMIN.chain
+    iptables -F ADMIN.chain
+    iptables -X ADMIN.chain
+    return
+  fi
+  iptables -N ADMIN.chain
+  iptables -A ADMIN.chain -m state --state ESTABLISHED,RELATED -j ACCEPT
+  iptables -A ADMIN.chain -p tcp --dport 22  -j ACCEPT
+  iptables -A ADMIN.chain -p udp --dport 161 -j ACCEPT
+  iptables -A ADMIN.chain -p tcp --dport 953 -j ACCEPT
+  iptables -A ADMIN.chain -d 127.0.0.0/8     -j ACCEPT
+  iptables -A ADMIN.chain -s 5.1.84.159      -j ACCEPT
+  iptables -A ADMIN.chain -s 5.1.84.160      -j ACCEPT
+  iptables -A ADMIN.chain -s 62.113.250.204  -j ACCEPT
+  iptables -A ADMIN.chain -p icmp            -j ACCEPT
+  iptables -A $INPUT -j ADMIN.chain
+}
+
+function imscp_logging_chains {
+  if [ "$1" == "STOP" ]; then
+    iptables -D $INPUT -j IMSCP_INPUT
+    iptables -D $OUTPUT -j IMSCP_OUTPUT
+    iptables -F IMSCP_INPUT
+    iptables -F IMSCP_OUTPUT
+    iptables -X IMSCP_INPUT
+    iptables -X IMSCP_OUTPUT
+    return
+  fi
+  SERVICES_IN="80 443 110 143 25 465 587 995 993"
+  SERVICES_OUT="25 465 587"
+  
+  iptables -N IMSCP_INPUT
+  iptables -N IMSCP_OUTPUT
+
+  iptables -A $INPUT  -j IMSCP_INPUT
+  iptables -A $OUTPUT -j IMSCP_OUTPUT
+
+  for PORT in $SERVICES_IN; do
+    iptables -A IMSCP_INPUT  -p tcp --dport "$PORT"
+    iptables -A IMSCP_OUTPUT -p tcp --sport "$PORT"
+  done
+  
+  for PORT in $SERVICES_OUT; do
+    iptables -A IMSCP_INPUT  -p tcp --sport "$PORT"
+    iptables -A IMSCP_OUTPUT -p tcp --dport "$PORT"
+  done
+
+  iptables -A IMSCP_INPUT -j RETURN
+  iptables -A IMSCP_OUTPUT -j RETURN
+}
+
+#####################################################################################################
+
+case  $ACTION  in
+  start)
+    if [ -f $PIDDIR/firewall.pid ]; then
+      echo "Firewall bereits aktiv"
+      exit
+    fi
+    echo "Firewall wird gestartet"
+    touch $PIDDIR/firewall.pid
+    iptables -P $INPUT DROP
+    #imscp_logging_chains START
+    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    block_country_chains START &
+    sleep 5
+    services_chain START
+    admin_chain START
+    ;;
+  stop)
+    if [ ! -f $PIDDIR/firewall.pid ]; then
+      echo "Firewall bereits gestoppt"
+      exit
+    fi
+    echo "Firewall wird gestoppt"
+    rm $PIDDIR/firewall.pid
+    iptables -P $INPUT ACCEPT
+    #imscp_logging_chains STOP
+    iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    block_country_chains STOP
+    services_chain STOP
+    admin_chain STOP
+    ;;
+  reload|restart)
+    if [ -f $PIDDIR/firewall.pid ]; then
+      echo "Firewall wird gestoppt"
+      rm $PIDDIR/firewall.pid
+      iptables -P $INPUT ACCEPT
+      #imscp_logging_chains STOP
+      iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+      block_country_chains STOP
+      services_chain STOP
+      admin_chain STOP
+    else
+      echo "Firewall nicht gestartet"
+    fi
+    echo "Firewall wird gestartet"
+    touch $PIDDIR/firewall.pid
+    iptables -P $INPUT DROP
+    #imscp_logging_chains START
+    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    block_country_chains START &
+    sleep 5
+    services_chain START
+    admin_chain START
+    ;;
+  status)
+    if [ -f $PIDDIR/firewall.pid ]; then
+      echo "Firewall aktiv"
+      exit
+    fi
+    echo "Firewall nicht aktiv"
+    ;;
+esac 

LinuxServerTools/iptables/daisy_firewall.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+TLD="cn iq ir kp ru tr tw"
+
+URL="http://www.ipdeny.com/ipblocks/data/countries/"
+
+# chains komplett entfernen
+for C in $TLD
+do
+  iptables -D BLOCKCOUNTRY -j $C
+  iptables -F $C
+  iptables -X $C
+done
+
+# chains bauen
+cd /tmp
+for C in $TLD
+do
+  iptables -N $C.ct.chain
+  iptables -A BLOCKCOUNTRY -j $C.ct.chain
+done
+
+# länderinfos herunterladen
+for C in $TLD
+do
+  wget $URL$C.zone > /dev/null 2>&1
+done
+ 
+#länderinfos in chains 
+for C in $TLD
+do
+  for IP in `cat $C.zone`
+  do
+    iptables -A $C.ct.chain -s $IP -j DROP > /dev/null 2>&1
+  done
+done