#######################################################################
#Yuklenilen moduller

echo Moduller Yukleniyor ...


/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_state
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
##########################################################################
#Degiskenler
firewalldisbacak=193.193.193.193
firewallicbacak=192.168.6.2
yerelag="192.168.6.0/24"
on_ip="192.168.6"
broadcast="192.168.6.255"
IPT=/sbin/iptables
ipt=/sbin/iptables
###########################################################################


echo 1 > /proc/sys/net/ipv4/ip_forward


#RFC1812 kontrol.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Bakiniz: Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.
# echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

#Dos ve smurf attacklardan korunmak icin tm ICMP echo broadcast isteklerini gecersiz kil.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Kaynak yonlendirilmis paketleri inaktif et.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


# Icmp redirectleri gecersiz kil.
# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

#Sadece default gateway listesinden gateway kabul et.
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects

# Mumkun olmayan paketleri logla
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Syn Flood korumasi
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Disable response to ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Ping ve Traceroute kapali
$IPT -A INPUT -p icmp --icmp-type echo-request
$IPT -A INPUT -p udp --dport traceroute:33498 -j DROP
##########################################################################
#Flush

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT


$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
###########################################################################
$ipt -P INPUT DROP

echo "1" > /proc/sys/net/ipv4/ip_forward

#loglar icin DUMP, kabul edilmeyen paketleri
# buraya yollayarak once loglayacagiz sonra DROP edecegiz
$ipt -N DUMP > /dev/null
$ipt -F DUMP
$ipt -A DUMP -j LOG --log-prefix "firewall: "
$ipt -A DUMP -j DROP

# paketlerin state durumuna gore kontrolu
$ipt -N STATEFUL > /dev/null
$ipt -F STATEFUL
$ipt -A STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A STATEFUL -j DUMP

# loopback icin izin
$ipt -A INPUT -i lo -j ACCEPT

#ping isteklerine ve cevaplarina izin ver.
$ipt -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT


for (( sayi="121" ; sayi < 161 ; sayi++))
do
ip="$on_ip"."$sayi"
$ipt -A INPUT -s $ip -j DROP
$ipt -A FORWARD -s $ip -j DROP
done



for (( sayi="101" ; sayi < 121 ; sayi++))
do
ip="$on_ip"."$sayi"

$ipt -A INPUT -s $ip -p tcp --dport 1863 -j ACCEPT
$ipt -A INPUT -s $ip -p udp --dport 1863 -j ACCEPT
$ipt -A INPUT -s $ip -p tcp --dport 25 -j ACCEPT
$ipt -A INPUT -s $ip -p udp --dport 25 -j ACCEPT
$ipt -A INPUT -s $ip -p tcp --dport 110 -j ACCEPT
$ipt -A INPUT -s $ip -p udp --dport 110 -j ACCEPT
$ipt -A INPUT -s $ip -p tcp --dport 143 -j ACCEPT
$ipt -A INPUT -s $ip -p udp --dport 143 -j ACCEPT
$ipt -A INPUT -s $ip -p tcp --dport 993 -j ACCEPT
$ipt -A INPUT -s $ip -p udp --dport 993 -j ACCEPT
$ipt -A INPUT -s $ip -p tcp --dport 8080 -j ACCEPT
$ipt -A INPUT -s $ip -p udp --dport 8080 -j ACCEPT
$ipt -A INPUT -s $ip -j DROP
$ipt -A FORWARD -s $ip -p tcp --dport 1863 -j ACCEPT
$ipt -A FORWARD -s $ip -p udp --dport 1863 -j ACCEPT
$ipt -A FORWARD -s $ip -p tcp --dport 25 -j ACCEPT
$ipt -A FORWARD -s $ip -p udp --dport 25 -j ACCEPT
$ipt -A FORWARD -s $ip -p tcp --dport 110 -j ACCEPT
$ipt -A FORWARD -s $ip -p udp --dport 110 -j ACCEPT
$ipt -A FORWARD -s $ip -p tcp --dport 143 -j ACCEPT
$ipt -A FORWARD -s $ip -p udp --dport 143 -j ACCEPT
$ipt -A FORWARD -s $ip -p tcp --dport 993 -j ACCEPT
$ipt -A FORWARD -s $ip -p udp --dport 993 -j ACCEPT
$ipt -A FORWARD -s $ip -p tcp --dport 8080 -j ACCEPT
$ipt -A FORWARD -s $ip -p udp --dport 8080 -j ACCEPT
$ipt -A FORWARD -s $ip -j DROP


done




$ipt -A INPUT -p tcp -m multiport --ports 8080,10000 -j ACCEPT
$ipt -A INPUT -p tcp -s $yerelag -d $firewallicbacak --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT

#################
# NAT islemleri #
#################
# istemcilerin disari çikarken source bilgilerini degistir
$ipt -A POSTROUTING -t nat -s $yerelag -d ! $firewallicbacak -j SNAT --to-source $firewalldisbacak

# netbios hatalari icin
$ipt -A INPUT -p tcp -d $broadcast --dport 137 -j ACCEPT
$ipt -A INPUT -p tcp -d $broadcast --dport 138 -j ACCEPT
$ipt -A INPUT -p udp -d $broadcast --dport 137 -j ACCEPT
$ipt -A INPUT -p udp -d $broadcast --dport 138 -j ACCEPT


#Ftp ve Webmin'e her yerden erisim
$ipt -A INPUT -p tcp --dport 20:21 -j ACCEPT
$ipt -A INPUT -p tcp --dport 10000 -j ACCEPT



# tum gelen istekleri state tablosuna koy
$ipt -A INPUT -j STATEFUL

################################################################################​####