#!/bin/sh # # Merged the 2 files together # -------------------------- # http://www.Linux-Sec.net/Firewall/Scripts/rc.iptable.onsight.txt # # # Original File # ------------- # http://www.hackinglinuxexposed.com/articles/20021015.html - /proc entries # http://www.hackinglinuxexposed.com/articles/20030213.html # http://www.governmentsecurity.org/forum/index.php?showtopic=1475 # # Remember, this example is to show egress filtering, not a # full firewall implementation. # # # 27-Jun-04 amo Date-of-Birth # # # Define a few variables for ease of use # -------------------------------------- MYIP=123.456.789.012 MYNET=123.456.789.0/24 # ETHERNET="eth0" # # # This machine makes all DNS requests to a single # DNS server, rather than asking the roots directly. DNSSERVER=210.987.654.321 # # # Set the policy to be DROP # ------------------------- # In other words, should a packet # not match any rule, it will be dropped by default. We'll # put this before the flush to make sure that while this script # runs, we are secure by default. # iptables -P INPUT DROP iptables -P OUTPUT DROP # # # Flush all tables # ---------------- iptables -F iptables -F INPUT iptables -F OUTPUT # # # Let's allow all packets on the local (127.1) network interface. # ------------------------------------ iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # # Drop all inbound packets that claim to be from us # ------------------------------------------------- iptables -A INPUT -i $ETHERNET -s $MYIP -j DROP # # # Drop all outbound packets that claim not to be from us # ------------------------------------------------------ iptables -A OUTPUT -o $ETHERNET -s ! $MYIP -j DROP # # # Block inbound from RFC1918 networks # ----------------------------------- iptables -A INPUT -i $ETHERNET -s 10.0.0.0/8 -j DROP # # # Add other such rules here to block 172.16/12, 192.168./16 # and other networks, multicast, and flag settings that you # should not expect from legitimate traffic. # # Remember, this example is to show egress filtering, not a # full firewall implementation. # # # Allow inbound HTTP from everywhere # ------------------ iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 80 -j ACCEPT iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 80 ! --syn -j ACCEPT # # # Allow inbound SSH from local network # ----------------- # iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 22 -s $MYNET -j ACCEPT iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 22 -d $MYNET ! --syn -j ACCEPT # # # Allow outbound DNS to our nameserver[3] # ------------------ iptables -A OUTPUT -o $ETHERNET -p udp -s $MYIP --dport 53 -d $DNSSERVER -j ACCEPT iptables -A INPUT -i $ETHERNET -p udp -d $MYIP --sport 53 -s $DNSSERVER -j ACCEPT # # # Log any rejects to syslog # ------------------------- iptables -A INPUT -j LOG iptables -A OUTPUT -j LOG # # # see rc.iptable.brandonhutchinson.txt for more loging options # # # /proc options # ============= # # Handy functions to set the file to one or zero enable () { for file in $@; do echo 1> $file; done } disable () { for file in $@; do echo 0> $file; done } # Disable inbound source routed packets to prevent folks # from spoofing their IP address. No legitimate users # require source routing any more. disable /proc/sys/net/ipv4/conf/*/accept_source_route # Enable TCP SYN cookies to keep us from suffering from # syn-flood DoS or DDoS attacks. See DJB's page at # http://cr.yp.to/syncookies.html if you want to know # how SYN cookies work - it's cool. enable /proc/sys/net/ipv4/tcp_syncookies # Ignore redirects from machines that are listed as gateways # (routers set by 'route add ... gw IPADDR'). Not a good idea # if these routers do send redirects, which is likely if you # multiple routers on your net but only one default configured. # # Redirects can be abused to perform man-in-the-middle attacks, # so you only want them enabled from trusted sources. enable /proc/sys/net/ipv4/conf/*/secure_redirects # Reject any non-secure redirects disable /proc/sys/net/ipv4/conf/*/accept_redirects # Don't send any redirects either. (Only use if you're # not acting as a router that needs to send redirects.) disable /proc/sys/net/ipv4/conf/*/send_redirects # Do not respond to packets that would cause us to go out # a different interface than the one to which we're responding. enable /proc/sys/net/ipv4/conf/*/rp_filter # Reassemble fragmented packets. Usually a good idea. enable /proc/sys/net/ip_always_defrag # Log any packets that have IP addresses that shouldn't exist enable /proc/sys/net/ipv4/conf/*/log_martians # # # ============================== # Disable packet forwarding # ============================== # # (Do not do this if you're a router/firewall!) # disable /proc/sys/net/ipv4/ip_forward # Send an ARP for address to which we have a route. Good # for some firewall and VPN/router setups, bad for hosts. disable /proc/sys/net/ipv4/conf/*/proxy_arp # Ignore broadcast pings # (Don't participate in smurf attacks) enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Ignore all pings. # (May be considered a bit excessive.) #enable icmp_echo_ignore_all # # # End of file