-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptablesdefense.sh
212 lines (200 loc) · 5.08 KB
/
iptablesdefense.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
#!/bin/bash
#Note these rules are only for ipv4 and in the future add ipv6 if needed
dash() {
printf -- '-%.0s' {1..100}; echo ""
}
backuptable() {
dash
echo "Enter backup file name."
read -p "Backup iptable name: " backupname
iptables-save > $backupname.txt
dash
echo "Saved in: $(pwd) with filename $backupname.txt"
dash
}
invalidchoice() {
dash
echo "Invalid Choice"
dash
}
echo "Welcome to some common firewall attacks and how to prevent them."
PS3="Please enter your choice: "
option=("Policies" "Specific Attack Prevention" "Worst Case Options" "Backup / Restore")
poly=("Deny by Default" "Accept by Default")
attk=("Ping Flood" "TCP SYN Flood" "Malformed Packets" "Smurf Attack")
worst=("Block All Incoming Traffic" "Flush All Rules")
back=("Backup Current" "Restore from backup")
select x in "${option[@]}"
do
case $x in
"Policies")
select pol in "${poly[@]}"
do
case $pol in
"Deny by Default")
dash
echo "Changing Default to DROP"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
;;
"Accept by Default")
dash
echo "Changing Default to ACCEPT"
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
;;
*)
invalidchoice
;;
esac
done
;;
"Specific Attack Prevention")
select ap in "${attk[@]}"
do
case $ap in
"Ping Flood")
dash
echo "Blocking incoming ICMP Echo Requests"
#DROP icmp echo request type 8
iptables -A INPUT -j DROP -p icmp --icmp-type echo-request
dash
;;
"TCP SYN Flood")
dash
echo "Blocking TCP SYN Flood"
#Limit the amount of new connection
#Drop all other packets that don't match the limit rule otherwise will be accepted
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT –p tcp –m state --state NEW -j DROP
dash
;;
"Malformed Packets")
dash
echo "Blocking Malformed XMAS Packets"
#Drop packets with the flags that looks like xmas tree
iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
dash
echo "Blocking Fragmented Packets"
#Drop packets that are fragemented
iptables -A INPUT -f -j DROP
dash
echo "Blocking NULL packets"
#Drop packets that are NULL
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
dash
;;
"Smurf Attack")
dash
echo "Blocking Smurf Attack"
#limits icmp packets and drops the other
iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
dash
;;
*)
invalidchoice
;;
esac
done
;;
"Worst Case Options")
echo "Be absolutely sure before running these commands."
select w in "${worst[@]}"
do
case $w in
"Block All Incoming Traffic")
#ask them if they want to back up #maybe move backup to a function
echo "NOTE: This will also block SSH access!!"
read -p "Are you sure? [Y/N]: " runconfirm
if [[ "$runconfirm" =~ ^(yes|y|Y|YES)$ ]]
then
dash
echo "Blocking all internal and external traffic"
#Default chain policies
iptables -P INPUT DROP #drop all incoming
iptables -P FORWARD DROP #drop all forwarded
iptables -P OUTPUT ACCEPT #accept outgoing
#Accept Localhost
iptables -A INPUT -i lo -j ACCEPT #loopback input
iptables -A OUTPUT -o lo -j ACCEPT #loopback output
#Established Sessions continue to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
dash
else
dash
echo "Exiting"
dash
break
fi
;;
"Flush All Rules")
read -p "Would you like to back up the current rules before proceeding? [Y/N]: " confirmremove
if [[ "$confirmremove" =~ ^(yes|y|Y|Yes)$ ]]
then
if backuptable
then
dash
echo "FLushing Rules"
dash
iptables --flush
dash
echo "See current iptable"
dash
iptables -L --line-numbers
else
dash
echo "Backup failed"
echo "Exiting Script"
dash
break
fi
elif [[ "$confirmremove" =~ ^(no|n|N|NO|No) ]]
then
dash
echo "Flushing all rules"
dash
iptables --flush
dash
echo "See current iptable"
dash
iptables -L --line-numbers
else
invalidchoice
fi
;;
*)
invalidchoice
;;
esac
done
;;
"Backup / Restore")
select b in "${back[@]}"
do
case $b in
"Backup Current")
backuptable
;;
"Restore from backup")
dash
echo "Enter backup file name"
read -p "Restore from file: " restorename
iptables-restore < $restorename.txt
dash
echo "Restored from file: $restorename.txt"
dash
;;
*)
invalidchoice
;;
esac
done
;;
*)
invalidchoice
;;
esac
done