Hi now im doing all the leg work, so i can get everything up and running and secure 
First of all i worked with the firewall true a builder yes i know lazy ass me
Just a copy of what i did so fare, i know i proberly need to add ex.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
The only reason i diddent do so is that im unsure of this option and dont understand it totaly like 1/s ehm and limit-burst.
And to make my confusen even bigger now i read about K.I.S.S My Firewall ait realy sure about what that dos.
But i think that i maybe shut get
DDoS Deflate
BFD v 1.2
Am i totaly loony and can some one tell me if this stuff looks good enuf or if i have to get on it again hehe and maybe what K.I.S.S My Firewall dos that iptables dont do :|
First of all i worked with the firewall true a builder yes i know lazy ass me
Just a copy of what i did so fare, i know i proberly need to add ex.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j DROP
The only reason i diddent do so is that im unsure of this option and dont understand it totaly like 1/s ehm and limit-burst.
And to make my confusen even bigger now i read about K.I.S.S My Firewall ait realy sure about what that dos.
But i think that i maybe shut get
DDoS Deflate
BFD v 1.2
Am i totaly loony and can some one tell me if this stuff looks good enuf or if i have to get on it again hehe and maybe what K.I.S.S My Firewall dos that iptables dont do :|
Code:
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v3.0.2-676
#
# Generated Wed Dec 03 17:21:46 2008 Romance Standard Time by Benzon
#
# files: * MyFirewall.fw
#
#
# Compiled for iptables (any version)
#
#
#
#
#
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="lsmod"
MODPROBE="modprobe"
IPTABLES="iptables"
IP6TABLES="ip6tables"
IPTABLES_RESTORE="iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="ip"
LOGGER="logger"
#
# Prolog script
#
#
# End of prolog script
#
log() {
echo "$1"
test -x "$LOGGER" && $LOGGER -p info "$1"
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by AddressTable object $1"
exit 1
}
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | head -n1`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
if test "$type" = "NO-CARRIER"; then
type=$5
fi
L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet | grep -v :`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getaddr6() {
dev=$1
name=$2
L=`$IP -6 addr show dev $dev | grep inet6 | grep -v :`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
# increment ip address
incaddr()
{
n1=$4
n2=$3
n3=$2
n4=$1
vn1=`eval "echo \\$$n1"`
R=`expr $vn1 \< 255`
if test $R = "1"; then
eval "$n1=`expr $vn1 + 1`"
else
eval "$n1=0"
incaddr XX $n4 $n3 $n2
fi
}
if $IP link ls >/dev/null 2>&1; then
echo;
else
echo "iproute not found"
exit 1
fi
MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
MODULES=`find $MODULES_DIR -name '*conntrack*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
# Using 0 address table files
INTERFACES="eth0 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
# Configure interfaces
$IP -4 neigh flush dev eth0 >/dev/null 2>&1
$IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1
add_addr 192.168.1.10 24 eth0
$IP link set eth0 up
add_addr 127.0.0.1 8 lo
$IP link set lo up
# Add virtual addresses for NAT rules
log 'Activating firewall script generated Wed Dec 03 17:21:46 2008 by Benzon'
# ================ IPv4
# ================ Table 'filter', automatic rules
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ================ Table 'mangle', automatic rules
# ================ Table 'filter', rule set Policy
# Policy compiler errors and warnings:
#
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
#
#
$IPTABLES -N In_RULE_0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.10 -m state --state NEW -j In_RULE_0
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.10 -m state --state NEW -j In_RULE_0
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
$IPTABLES -A In_RULE_0 -j DROP
#
# Rule 1 (lo)
#
echo "Rule 1 (lo)"
#
#
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
#
#
$IPTABLES -N Cid2674X3808.0
$IPTABLES -A OUTPUT -d 192.168.1.10 -m state --state NEW -j Cid2674X3808.0
$IPTABLES -A Cid2674X3808.0 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
$IPTABLES -A Cid2674X3808.0 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
$IPTABLES -A Cid2674X3808.0 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
$IPTABLES -A Cid2674X3808.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A Cid2674X3808.0 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT
$IPTABLES -A Cid2674X3808.0 -p tcp -m tcp -m multiport --dports 80,443,21,20,110,995,143,993,25,465,22,2222 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp -m multiport --dports 80,443,21,20,110,995,143,993,25,465,22,2222 -m state --state NEW -j ACCEPT
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
# server needs DNS to back-resolve clients IPs.
# Even if it does not log host names during its
# normal operations, statistics scripts such as
# webalizer need it for reporting.
#
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp -s 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
# this rejects auth (ident) queries that remote
# mail relays may send to this server when it
# tries to send email out.
#
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 113 -m state --state NEW -j REJECT
$IPTABLES -A INPUT -p tcp -m tcp --dport 113 -m state --state NEW -j REJECT
#
# Rule 5 (global)
#
echo "Rule 5 (global)"
#
#
#
$IPTABLES -N RULE_5
$IPTABLES -A OUTPUT -m state --state NEW -j RULE_5
$IPTABLES -A INPUT -m state --state NEW -j RULE_5
$IPTABLES -A FORWARD -m state --state NEW -j RULE_5
$IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DENY "
$IPTABLES -A RULE_5 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Epilog script
#
# End of epilog script
#