Shell script iptables based firewall for virtuozzo VPS for REDHAT Linux

in Categories Security last updated April 10, 2008
#!/bin/bash
# Firewall for Red hat enterprise linux Virtuozzo VPS
# It is  simple firewall but effective one on Red hat enterprise linux Virtuozzo VPS :)
# ---------------------------------------------------------
# 1) DO NOT FORGEDT TO SETUP CORRECT IPS first
# 2) touch /root/allbadips.txt; echo "192.1678.0.10"> /root/allbadips.txt
# 3) To load/start firewall from this script
# chmod +x virtuozzo-iptables-firewall-script.bash
# ./virtuozzo-iptables-firewall-script.bash
# -----------------------------------------------------
# Laste updated : Aug - 08 - 2005
# -----------------------------------------------------
# Copyright (C) 2004,2005 nixCraft <http://cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# For more info, please visit:
# https://www.cyberciti.biz/nixcraft/vivek/blogger/2004/12/virtuozzo-iptables-firewall.html
#-----------------------------------------------------
# ip = can be setup once - Aug-2005.
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------
 
# BAD IPS FILE all ip in this file are droped
BADIPS="$(cat /root/allbadips.txt|grep -v -E "^#")"
# setup your IPS here 
myIPS="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"
 
# Setup VPS main IP here
ip="xxx.xxx.xxx.xxx"
 
# stop RedHAT linux iptables
service  iptables stop
 
# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
 
# allow unlinited traffic on both lo and venet0
iptables -A INPUT  -i venet0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT
 
iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
 
# Block all those IPs
for ip in $BADIPS
do
    iptables -A INPUT -s $ip -j DROP
    iptables -A OUTPUT -d $ip -j DROP
done
# Stop  flood 
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP
# Spoofing and bad addresses
# Bad incoming source ip address i.e server IP drop all here
for myip in $myIPS
do
    iptables -A INPUT -s $myip -j DROP
done
 
# Drop all incoming fragments
iptables -A INPUT -f -j DROP
 
# Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# Bad incoming source ip address 0.0.0.0/8
iptables -A INPUT -s 0.0.0.0/8 -j DROP
 
# Bad incoming source ip address 127.0.0.0/8
iptables -A INPUT -s 127.0.0.0/8 -j DROP
 
# Bad incoming source ip address 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -j DROP
 
# Bad incoming source ip address 172.16.0.0/12
iptables -A INPUT -s 172.16.0.0/12 -j DROP
 
# Bad incoming source ip address 192.168.0.0/16
iptables -A INPUT -s 192.168.0.0/16 -j DROP
 
# Bad incoming source ip address 224.0.0.0/3
iptables -A INPUT -s 224.0.0.0/3 -j DROP
 
#Open Port 80 , no statful fw as VPS don't support it :(
#ip="xxx.xxx.xxx.xxx" # IP of your www service
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT
 
#Open Port 443
#ip="xxx.xxx.xxx.xxx" # IP of your wwws service
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT
 
#Open Port 25
#ip="xxx.xxx.xxx.xxx" 
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT
 
#Open port 22 for all
#ip="xxx.xxx.xxx.xxx"
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT
 
# Outgoing DNS
# udp first
NSIP="ns1_IP  ns2_IP" # NS1 NS2 of ISP
#ip="your_main_IP"
for mip in $NSIP
do
  iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
  # tcp next
  iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done
 
#outgoin ICMP
#ip="your_main_IP"
iptables -A OUTPUT -p icmp -s $ip -d 0/0 -j ACCEPT
iptables -A INPUT -p icmp -s 0/0 -d $ip -j ACCEPT
 
#outgoing traceroute
#ip="your_main_IP"
iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d 0/0 --dport 33434:33523 -j ACCEPT
 
#outgoing SMTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT
 
#outgoing FTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 21 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j ACCEPT
 
#outgoin SSH
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip  --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT
 
#outgoin http and https
# for up2date and other stuff
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip  --sport 1024:65535 -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $ip --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip  --sport 1024:65535 -d 0/0 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $ip --dport 1024:65535 -j ACCEPT
# Okay Drop everything from here :D
iptables -A INPUT -s 0/0 -j DROP
iptables -A OUTPUT -d 0/0 -j DROP
# EOF SFW

Backup shell script to backup selected directories and upload securely (gpg) to FTP server

in Categories Backup last updated April 9, 2008

This script requires GNU Privacy Guard – cryptographic software on Linux / UNIX systems. GnuPG encrypts messages using asymmetric keypairs individually generated by GnuPG users. The resulting public keys can be exchanged with other users in a variety of ways, such as Internet key servers. They must always be exchanged carefully to prevent identity spoofing by corrupting public key ↔ ‘owner’ identity correspondences. It is also possible to add a cryptographic digital signature to a message, so the message integrity and sender can be verified, if a particular correspondence relied upon has not been corrupted.

GnuPG does not use patented or otherwise restricted software or algorithms, including the IDEA encryption algorithm which has been present in PGP almost from the beginning. Instead, it uses a variety of other, non-patented algorithms such as CAST5, Triple DES, AES, Blowfish and Twofish. It is still possible to use IDEA in GnuPG by downloading a plugin for it, however this may require getting a license for some uses in some countries in which IDEA is patented.

GnuPG is a hybrid encryption software program in that it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient’s public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version.

Shell Script

#!/bin/bash
# Shell script (BASH) to backup the selected directory on server and upload to 
# another ftp server securely. This script uses the gpg command to 
# encrypt the .tar.gz file before upload take place. 
#
# In order to run this script you must have following tools installed:
# - /usr/bin/ncftpput
# - /bin/tar
# - /usr/bin/mail
# - /usr/bin/gpg
#
# Script also mails back the ftp operation failed or not
#
# Installation:
# Customize the script according to your need. You need to setup ftp 
# server, password etc. Next, you need to setup gpg user name and 
# import public key so that you can encrypt the files. Usually following two 
# commands needed for gpg:
# gpg --import userkey
# gpg --edit-key KEY_ID|USER_ID
# Command>trust
# 
# --------------------------------------------------------------------
# This is a free shell script under GNU GPL version 2.0 or above
# Copyright (C) 2005 nixCraft project.
# Feedback/comment/suggestions : http://cyberciti.biz/fb/
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# -------------------------------------------------------------------------
 
# Dirs to backup, Separate multiple directories using space 
# for example /home /www /data2
BACKUP="/home"
 
# Remote ftp server
FTPH="ftp.backup.com"
 
# Remote ftp user name
FTPU="ftpusername"
 
# Remote ftp user password
FTPP="secret"
 
# Local gpg user_id 
GPGU="nixcraft"
 
# Remote directory, blank for default remote dir
# If dir does not exist it will be created automatically by ncftpput :)
FTPD="backup/"
 
# Temporary directory to store tar.gz file and process it
TMPD="/tmp"
 
# Mail message
# Admin email me@mycorp.com or pager@yourmobile.com
MTO="support@mycorp.com"
# Mail subject
MSUB="Backup $(hostname) report"
# Admin info, URL email id; change it according to your need :)
ADMIN_INFO="For support visit http://cyberciti.biz/fb/ or write an email to nobody@cyberciti.biz"
 
# Only change if your UNIX stores bin in diffrent location
NCFTP="/usr/bin/ncftpput"
TAR="/bin/tar"  # must be gnu tar
MAILC="/usr/bin/mail"
GPG="/usr/bin/gpg"
 
#######################################################################
# Do not change anything below
#######################################################################
FILE="$(hostname).$(date +"%d-%m-%Y").tar.gz"
OUT="$TMPD/$FILE"
FOUT="$OUT.gpg"
MFILE="/tmp/ftpout.$$.txt"
MESS=""
 
if [ ! -x $TAR ]; then
  echo "$TAR command not found, contact $ADMIN_INFO" 
  exit 1
fi
 
if [ ! -x $NCFTP ]; then
  echo "$NCFTP command not found, contact $ADMIN_INFO" 
  exit 1
fi
 
if [ ! -x $GPG ] ; then
  echo "$GPG command not found, contact $ADMIN_INFO" 
  exit 1
fi
 
$TAR -zcf $OUT $BACKUP
if [ $? -ne 0 ]; 
then
   MESS="$TAR failed to create backup. Nothing uploaded to remote FTP $FTPH server"
else
   # Encrypt the .tar.gz file before upload
   $GPG -e -r $GPGU -o $FOUT $OUT
   $NCFTP -m -u "$FTPU" -p "$FTPP" "$FTPH" "$FTPD" "$FOUT"
   OSTAT="$?"
   case $OSTAT in
	0) MESS="Success.";;
	1) MESS="Could not connect to remote host $FTPH.";;
        2) MESS="Could not connect to remote host $FTPH - timed out.";;
        3) MESS="Transfer failed.";;
        4) MESS="Transfer failed - timed out.";;
        5) MESS="Directory change failed.";;
        6) MESS="Directory change failed - timed out.";;
        7) MESS="Malformed URL.";;
        8) MESS="Usage error. May be your version of ncftpput ($NCFTP) is old";;
        9) MESS="Error in login configuration file.";;
        10)MESS="Library initialization failed.";;
        11) MESS="Session initialization failed.";;
	*) MESS="Unknown error, contact admin $ADMIN_INFO";;
   esac
fi
 
>$MFILE
echo "Backup status for $(hostname) as on $(date):" >>$MFILE
echo "" >>$MFILE
echo "Backup File : $FOUT" >>$MFILE
echo "Backup ftp server : $FTPH" >>$MFILE
echo "Backup status message : $MESS" >>$MFILE
echo "" >>$MFILE
echo "-- Automatically generated by $(basename $0)" >>$MFILE
 
# send an email to admin
$MAILC -s "$MSUB" $MTO <$MFILE
# remove the files 
[ -f $MFILE ] && rm -f $MFILE || :
[ -f $FOUT ] && rm -f $FOUT || :
[ -f $OUT ] && rm -f $OUT || :