#!/bin/sh
#
# Original From
# -------------
#	http://networking.earthweb.com/netsysm/article.php/2168251
#
#
# 27-Jun-04 amo Date-of-Birth
#
#
LAN_IP="192.168.0.2"
LAN_NET_RANGE="192.168.0.0/16"
#
IFACE= "eth0"
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
IPTABLES=/usr/sbin/iptables 
#
#
# Our default policy is DROP
# --------------------------
# A packet that matches none of the rules will be unceremoniously dropped.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
#
# Enable loopback or many things will break
# -----------------------------------------
$IPTABLES -A INPUT -i lo -p all -j ACCEPT 
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT 
#
#
# Log all dropped packets to syslog 
# ---------------------------------
#
$IPTABLES -A INPUT -j LOG
$IPTABLES -A OUTPUT -j LOG
#
#
# REJECT sends a response, whereas DROP does NOT
#	tell port scanners to go away
$IPTABLES -A INPUT -d lo -j REJECT--reject-with icmp-port-unreachable 
# $IPTABLES -A INPUT -d lo -j REJECT--reject-with icmp-network-unreachable
# $IPTABLES -A INPUT -d lo -j REJECT--reject-with icmp-host-unreachable
#
#
# Block IP spoofing 
# -------------------
#	Drop incoming packets that claim to originate from your host
#	Drop outgoing packets that do not originate from your host
$IPTABLES -A INPUT -i $IFACE -s $LAN_IP -j DROP
$IPTABLES -A OUTPUT -o $IFACE -s ! $LAN_IP -j DROP 
#
#
# Restrict outgoing and incoming ICMP
# -----------------------------------
#
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT 
#
#
# Do stateful packet filtering
# ----------------------------
#	allow established connections to send packets out 
$IPTABLES -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
#
#
# Allow DHCP
# ----------
#	dhcp port are limited to UDP 67 and 68; TCP 67/68 are not allowed
#
$IPTABLES -A INPUT -p UDP -i $IFACE --dport 67 --sport 68 -j ACCEPT
#
#
# Allow SMTP to the outside Mail servers
# --------------------------------------
$IPTABLES -A INPUT -p tcp --destination-port 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#
#
# End of file