#!/bin/sh # # Local File # ---------- # http://www.Linux-Sec.net/Firewall/Scripts/rc.iptable.splatt.firewall.txt # # Original File # ------------- # http://www.splatt.it/modules/corsobaselinux/deeper/firewall.txt # # # 27-Jun-04 amo Date-of-Birth # # # # firewall.sh - Version 20020319 - Coresis # # Used random IPs # ### DEBUGGING ### set -x ### FLUSHING CHAIN ### /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z ### DEFAULT CHAIN ### /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT DROP ### SETTING IPFORWARDING ### /bin/echo "1" > /proc/sys/net/ipv4/ip_forward ### DISABLE RESPOND TO BROADCAST ### /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ### ENABLE BAD ERROR MESSAGE PROTECTION ### /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ### DISABLE ICMP REDIRECT ACCEPTANCE ### /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ### SETTING ANTISPOOFING PROTECTION ### /bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter ### DON'T RESPOND TO BROADCAST PINGS ### /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians ################################################################## #GW1 AND GW2 ARE TRUSTED HOSTS FROM WHICH SSH COMMUNICATION IS PERMITTED GW1=10.10.10.4 GW2=192.168.1.5 #LINEA1 AND LINEA2 ARE TRUSTED NETWORKS FROM WHICH ICMPS ARE ALLOWED LINEA1=10.10.10.0/24 LINEA2=192.168.1.0/24 # NTP_SRV IS A NETWORK TIME PROTOCOL SERVER NTP_SRV=10.198.151.1 ################################################################## # ======================= LOCALHOST ================================ /sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT /sbin/iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT # ======================= SSH RULE ================================ /sbin/iptables -A INPUT -i eth0 -p TCP --dport 22 -s $GW1 -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p TCP --dport 22 -s $GW2 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 22 -d $GW1 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 22 -d $GW2 -j ACCEPT # ======================= DNS RULE ========================== /sbin/iptables -A INPUT -p TCP -s 0/0 --sport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp -s 0/0 --sport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -s 0/0 --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p TCP -s 0/0 --dport 53 -j ACCEPT # ======================= ICMP RULE ========================== /sbin/iptables -A INPUT -p icmp -s $LINEA1 -j ACCEPT /sbin/iptables -A INPUT -p icmp -s $LINEA2 -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -s $LINEA1 -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -s $LINEA2 -j ACCEPT # ======================= NTP RULE ========================= /sbin/iptables -A INPUT -p udp --sport ntp -s $NTP_SRV -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport ntp -s $NTP_SRV -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport ntp -d $NTP_SRV -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport ntp -d $NTP_SRV -j ACCEPT # ================== MAIL SEND RULE ======================== /sbin/iptables -A INPUT -p tcp --sport 25 -s $LINEA1 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 25 -d $LINEA1 -j ACCEPT /sbin/iptables -A INPUT -p tcp --sport 25 -s $LINEA2 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 25 -d $LINEA2 -j ACCEPT ### ADD CUSTOM SERVER RULES BELOW # ================= HTTP & HTTPS ============================ /sbin/iptables -A INPUT -i eth0 -p TCP --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 80 -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p TCP --dport 443 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p TCP --sport 443 -j ACCEPT # # End of file