Hi,
I want to add an Iptables to secure more the quickbox ;
#!/bin/bash
### BEGIN INIT INFO
# Provides: firewall rules
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
#!/bin/sh
# On vire tout
iptables -t filter -F
iptables -L
iptables -Z
# Vider les règles personnelles
iptables -t filter -X
echo - Vidage : [OK]
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Interdire toute connexion : [OK]
#Filtres Anti Hadopi et Autres Lourds
iptables -t filter -I INPUT -p all -s 61.174.51.0/24,61.64.128.0/17,116.10.191.0/24,122.120.0.0/13,168.95.0.0/16 -j DROP
iptables -t filter -I INPUT -p all -s 5.23.42.12/30,90.80.100.192/28,195.5.217.72/29,194.79.189.240/29 -j DROP
iptables -t filter -I INPUT -p all -s 82.138.70.128/26,82.138.74.0/25,91.189.104.0/21,193.107.240.0/22,195.191.244.0/23,193.105.197.0/24 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
echo - Blocage indésirable : [OK]
# On garde les connexions etablies
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - Connexion actuelle : [OK]
# Autoriser le loopback (reseau local)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - LOOPBACK : [OK]
# ICMP (ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - ICMP : [OK]
# DNS (bind)
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 953 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 953 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 953 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 953 -j ACCEPT
echo - BIND : [OK]
# APACHE : HTTP + HTTPS
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - web : [OK]
# Mail SMTP:25 - Pour acces gmail ajouter 587
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
echo - SMTP : [OK]
# NTP Horloge synchro
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]
# SSH numeros de Port a changer (XXXX) en rapport avec : : "/etc/ssh/sshd_config" on remplace XXXX par votre port ssh par exemple 22
iptables -t filter -A INPUT -p tcp --dport 4747 -m recent --rcheck --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "SSH REJECT"
iptables -t filter -A INPUT -p tcp --dport 4747 -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
iptables -t filter -A INPUT -p tcp --dport 4747 -m state --state NEW -m recent --set --name SSH -j ACCEPT
echo - Autoriser SSH : [OK]
# OUVERTURE QUICKBOX
# RPORT
iptables -t filter -A INPUT -p tcp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 2000:61000 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 2000:61000 -j ACCEPT
# WEBPORT
iptables -t filter -A INPUT -p tcp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 8115:8145 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 8115:8145 -j ACCEPT
# Rtorrent a vous de mettre les bons ports surtout pour le port d'annonce tracker
iptables -t filter -A INPUT -p tcp --dport 6890:6999 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 6890:6999 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 6881:6999 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 6881:6999 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 6400 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 6400 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 6400 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 6400 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 35000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 35000 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 35000 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 35000 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 2086 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 2086 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 2086 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 2086 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
echo - RTORRENT : [OK]
#Decommenter ci-dessous les services que vous utilisez
# FTP (BACKUP)
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
# Mail POP3:110
# iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
# iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
# iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# WEBMIN
# iptables -t filter -A INPUT -p tcp --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t filter -A OUTPUT -p tcp --dport 10000 -m state --state ESTABLISHED -j ACCEPT
But about this :
RPORT
iptables -t filter -A INPUT -p tcp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 2000:61000 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 2000:61000 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 2000:61000 -j ACCEPT
WEBPORT
iptables -t filter -A INPUT -p tcp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 8115:8145 -j ACCEPT
iptables -t filter -A INPUT -m udp -p udp --dport 8115:8145 -j ACCEPT
iptables -t filter -A OUTPUT -m udp -p udp --dport 8115:8145 -j ACCEPT
the plage port seems to be a bit to large . 2000:61000 if i want to do it smaller . i have to change it in /etc/QuickBox/setup/templates/bashrc.template ?
any idea ?
what d you thnk about this script ?