05.01 | Posted in

firewall sederhana menggunakan IPTABLES
#!/bin/bash
# firewall sederhana buat warnet
# prinsip di blok semua, baru di buka 1 1 (jgn buka2 yg laen2 ya ) :D

#--- clear tables

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -F


# LOCALHOST

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# INCOMING TRAFFIC

#--- Local ---#

#--- proxy
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 3128 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 3128 -j ACCEPT

#--- snmp--> misalkan isp butuh ngecek snmp anda
iptables -A INPUT -p udp -s 202.xxx.xxx.xxx --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp -s 202.xxx.xxx.xxx --dport 161:162 -j ACCEPT

#--- ping
iptables -A INPUT -p icmp -s 202.xxx.xxx.xxx -j ACCEPT
iptables -A INPUT -p icmp -s 202.xxx.xxx.xxx -j ACCEPT

#--- ssh ---> misalkan hanya ip public tertentu boleh akses ssh & local
iptables -A INPUT -p tcp -s 202.69.97.241 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

#--- dns
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT

#--- ident
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp --sport 111 -j ACCEPT

#--- traceroute
#iptables -A INPUT -p udp --dport 33434:33524 -j ACCEPT

#--- ftp
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp --sport 21 -j ACCEPT
#iptables -A INPUT -p tcp --dport 20 -j ACCEPT
#iptables -A INPUT -p tcp --sport 20 -j ACCEPT

#--- response traffic
iptables -A INPUT -p tcp ! --syn -j ACCEPT

#--- default
#iptables -A INPUT -j LOG --log-level info --log-prefix local0
iptables -P INPUT DROP



# FORWARDING TRAFFIC

#---------------------------------------------------------------------------
#--- dropped traffic ---

#-- netbios ---> paket virus (huheueheue, port mikocok)
iptables -A FORWARD -p tcp --dport 135 -j DROP
iptables -A FORWARD -p udp --dport 135 -j DROP
iptables -A FORWARD -p tcp --dport 137 -j DROP
iptables -A FORWARD -p udp --dport 137 -j DROP
iptables -A FORWARD -p tcp --dport 138 -j DROP
iptables -A FORWARD -p udp --dport 138 -j DROP
iptables -A FORWARD -p tcp --dport 139 -j DROP
iptables -A FORWARD -p udp --dport 139 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p udp --dport 445 -j DROP


#--- permit local
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT

#-- local
#iptables -A FORWARD -s 10.0.0.0/8 -j DROP
#iptables -A FORWARD -d 10.0.0.0/8 -j DROP
#iptables -A FORWARD -s 172.16.0.0/12 -j DROP
#iptables -A FORWARD -d 172.16.0.0/12 -j DROP
#iptables -A FORWARD -s 192.168.0.0/16 -j DROP
#iptables -A FORWARD -d 192.168.0.0/16 -j DROP

iptables -P FORWARD DROP


# NAT tuk IRC (bila perlu ganti ip, kl irc anda kena akill) --> ip block
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 --dport 6000:7000 -j SNAT --to-source 202.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.0.0/24 --dport 6000:7000 -j SNAT --to-source 202.xxx.xxx.xxx


# NAT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 202.xxx.xxx.xxx


# TRANSPARENT PROXY
iptables -t nat -A PREROUTING -i eth1 -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-port 3128

# END


Category:
��

Comments

2 responses to "firewall sederhana menggunakan IPTABLES"

  1. caster On 30 Maret 2010 pukul 05.15

    makasih pak atas infonya, btw punya aplikasi berbasis php untuk menjalankan perintah diatas

     
  2. ikra On 2 Juni 2010 pukul 03.44

    thx inponya gan,,