OK, but you want this:
post-firewall
Code:
#!/bin/sh
# Info
# $1 WAN_IF $2 WAN_IP
# $3 LAN_IF $4 LAN_IP
# $5 DMZ_IF $6 DMZ_IP
touch /tmp/var/log/fwdebug
DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES "post-firewall: starting : WAN: $1 ($2), LAN: $3 ($4), DMZ: $5 ($6)" >>/tmp/var/log/fwdebug
echo $DATES "post-firewall: starting : WAN: $1 ($2), LAN: $3 ($4), DMZ: $5 ($6)" >>/tmp/syslog.log
echo $DATES " change logdrop and logaccept to DROP and ACCEPT...starting" >>/tmp/var/log/fwdebug
echo "8192" >/proc/sys/net/ipv4/ip_conntrack_max
iptables -D logaccept 1
iptables -D logdrop 1
iptables -D INPUT -j DROP
DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES " change logdrop and logaccept to DROP and ACCEPT...done" >>/tmp/var/log/fwdebug
echo $DATES " add INPUT rules to firewall...starting" >>/tmp/var/log/fwdebug
iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --rcheck --hitcount 3 --seconds 30 \
-j LOG --log-prefix "FTP_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --update --hitcount 3 --seconds 30 \
-j DROP
iptables -A INPUT -i $1 -p TCP --dport 21 -m recent --name FTP --set -j ACCEPT
iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 \
-j LOG --log-prefix "SSH_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --update --hitcount 3 --seconds 120 \
-j DROP
iptables -A INPUT -i $1 -p TCP --dport 22 -m recent --name SSH --set -j ACCEPT
iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --rcheck --hitcount 3 --seconds 120 \
-j LOG --log-prefix "SSH_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --update --hitcount 3 --seconds 120 \
-j DROP
iptables -A INPUT -i $1 -p TCP --dport 443 -m recent --name SSH --set -j ACCEPT
for i in 4746 4747 4757 4848 4949 ; do
iptables -A INPUT -i $ -p TCP --dport $i -m recent --name ED2K --rcheck --hitcount 50 \
--seconds 5 -j LOG --log-prefix "ED2K_BRUTE "
iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ED2K --update --hitcount 50 \
--seconds 5 -j DROP
iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ED2K --set -j ACCEPT
done
for i in 4747 4750 4751 4757 4848 4949 ; do
iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --rcheck --hitcount 50 \
--seconds 5 -j LOG --log-prefix "ED2K_BRUTE "
iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --update --hitcount 50 \
--seconds 5 -j DROP
iptables -A INPUT -i $1 -p UDP --dport $i -m recent --name ED2K --set -j ACCEPT
done
i=2697
while [ $i -le 2706 ] ; do
iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --rcheck --hitcount 50 \
--seconds 5 -j LOG --log-prefix "ENHCT__BRUTE "
iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --update --hitcount 50 \
--seconds 5 -j DROP
iptables -A INPUT -i $1 -p TCP --dport $i -m recent --name ENHCT --set -j ACCEPT
i=`expr $i + 1`
done
iptables -A INPUT -i $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES " add INPUT rules to firewall...done" >>/tmp/var/log/fwdebug
echo `date` " add PREROUTING and FORWARD rules to firewall...starting" >>/tmp/var/log/fwdebug
for i in 21 22 443 4746 4747 4757 ; do
iptables -t nat -A PREROUTING -i $1 -p tcp --dport $i -j DNAT \
--to-destination $4:$i
iptabled -A FORWARD -i $1 -o $3 -p tcp --dport $i -d $4 -j ACCEPT
done
for i in 4747 4750 4751 4757 ; do
iptables -t nat -A PREROUTING -i $1 -p udp --dport $i -j DNAT \
--to-destination $4:$i
iptables -A FORWARD -i $1 -o $3 -p udp --dport $i -d $4 -j ACCEPT
done
DATES=`date | /usr/bin/awk '{print substr($0,5,15)}'`
echo $DATES " add PREROUTING and FORWARD rules to firewall...done" >>/tmp/var/log/fwdebug
echo $DTAES "post-firewall: done" >>/tmp/var/log/fwdebug
echo $DATES "post-firewall: done" >>/tmp/syslog.log
The script use ipt_recent module in next 3 line:
iptables -A INPUT -i <interface> -p TCP --dport <port> -m recent --name <RULE_NAME> --rcheck --hitcount <packet_number> \
--seconds <time_in_sec> -j LOG --log-prefix <COMMENT_TO_LOG>
iptables -A INPUT -i <interface> -p TCP --dport <port> -m recent --name <RULE_NAME>--update --hitcount <packet_number> \
--seconds <time_in_sec> -j DROP
iptables -A INPUT -i <interface> -p TCP --dport <packet_number> -m recent --name <RULE_NAME> --set -j ACCEPT
line1: define rule to set and log packets, if more <packet_number> in <time_in_sec>
line2: drop packet, if more <packet_number> in <time_in_sec>
line3: accept, if less.
I don't know, the parameters is correct. I have a crash when I try remove/change 'logdrop' and 'logaccept' rules in my post-firewall script, and a correct value is lost . But this parameter (50 in 5sec) is working, always working my router. Old time, when I use a donkey (emule, etc), I had a DDOS attack (no net and a router is very slow). Now, all work (in DDOS attack).
Bye, (and sorry my poor English)
George
(I use emule client in 2 PC (4848, 4949), uTorrent (17771) in PC, and amule or mlnet (mldonkey) in router (4747..4757), sctcs on router (2697..2706, for enhanced-ctorrent), SSH (22 and 443 (https) port. The SSH working with 443 port and over M$ ISA server (in my workplace).