#!/bin/sh # # iptables-1.3.3 # # # http://www.cae.wisc.edu/iptables-using # http://wendt.wisc.edu/site/public/files/liniptablesfiles/iptables.txt # * ACCEPT: This option accepts a given packet and allows it to pass either in or out # * DENY: This option does not allow a packet to pass but sends an error message back to its sender # * DROP: This option completely ignores a packet without sending an error message to its sender # # # Howto Examples # -------------- # http://www.cyberciti.biz/tips/linux-iptables-15-how-to-block-or-open-mail-serversmtp-protocol.html ( smtp ) # http://sogol.tank.jp/note/unix/iptables.html # http://www.wains.be/index.php/category/linux/iptables ( ssh limit ) # http://www.archlinux.org/pipermail/arch/2006-July/011530.html # http://www.liniac.upenn.edu/sysadmin/security/iptables.html ( redhat style for smtp server ) # http://files.directadmin.com/services/all/iptables # http://shenlug.tux.org/scripts1/firewall.iptables # http://lists.netfilter.org/pipermail/netfilter/2004-May/052658.html # # # 23-Oct-08 amo Date-of-Birth - disallow port 8080 # 17-Nov-08 amo Added -i lo and drop, comment out 8080 stuff # 18-Nov-08 amo Added ECHO rules and create OUTPUT rules from archlinux.org # 19-Nov-08 amo Added --seconds from example at tank.jp # # #PTABLES=/usr/local/sbin/iptables IPTABLES=/usr/sbin/iptables ECHO=/usr/bin/echo case "$1" in start) echo -n "Starting IP Firewall and NAT..." echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies # echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "32768 62000" > /proc/sys/net/ipv4/ip_local_port_range # Dynamic Routing $ECHO "1" > /proc/sys/net/ipv4/ip_dynaddr # Disable response to ping. # $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Disable response to broadcasts to prevent yourself from becoming a Smurf amplifier. # $ECHO "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. $ECHO "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bogus error message protection. $ECHO "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets. $ECHO "1" > /proc/sys/net/ipv4/conf/all/log_martians # Turn IP forwarding on. # $ECHO "1" > /proc/sys/net/ipv4/ip_forward # Clear old rules # $IPTABLES -X # delete chains # $IPTABLES -F # flush rules # $IPTABLES -Z # zero counters # if enabled, it prevents remote iptables restart # # $IPTABLES -P INPUT DROP # $IPTABLES -P OUTPUT DROP # $IPTABLES -P FORWARD DROP # 18-Nov Initialize all the chains by removing all the rules $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD # #IPTABLES -t nat -F #IPTABLES -t mangle -F #IPTABLES -t nat -X #IPTABLES -t mangle -X # $IPTABLES -X # delete chains $IPTABLES -Z # if enabled, it prevents remote iptables restart # $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P OUTPUT ACCEPT # 18-Nov loopback rules $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # INPUT Rules - Add to this section the ports you wish to explicitly allow connections on # Below are some common services that are commonly used # Comment out the lines to disable access to these services # The port numbers for other services you may wish to allow can be found in the /etc/services file # # 18-Nov-08 amo Inserted OUTPUT rules # 19-Nov-08 amo Block the entire domains # # # drop all outgoing invalid packets # iptables -A OUTPUT -m state --state INVALID -j DROP # Allow established connections #fails $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #fails $IPTABLES -A OUTPUT -o eth0 -m state --state ESTABLISHED,NEW -j ACCEPT # unrestricted outgoing $IPTABLES -A OUTPUT -o eth0 -p tcp -j ACCEPT # limit incoming connections to 5 per second # IPTABLES -A INPUT -p tcp -m limit --limit 5/second # drop all invalid incoming packets regardless of source or interface #IPTABLES -A INPUT -m state --state INVALID -j DROP # Allow established connections #IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # # allow incoming ssh from *.11 and *.224 $IPTABLES -A INPUT -i eth0 -p tcp -s 207.228.3.11/32 --dport 22 -j ACCEPT $IPTABLES -A INPUT -i eth0 -p tcp -s 207.228.48.224/32 --dport 22 -j ACCEPT # allow incoming mail connections # mail is received, not xmitting yet $IPTABLES -A INPUT -i eth0 -p tcp --dport 25 --syn -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -p tcp --sport 25 -s 207.228.3.94/32 --dport 1024:65535 --syn -j ACCEPT # # allow outgoing email connections #IPTABLES -A INPUT -i eth0 -p tcp --dport 25 -s 207.228.3.94/32 -m state --state ESTABLISHED,NEW -j ACCEPT #IPTABLES -A OUTPUT -o eth0 -p tcp --sport 25 -s 207.228.3.94/32 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT #IPTABLES -A FORWARD -p tcp --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow dns ( tcp for zone transfers ) $IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 1024: -j ACCEPT # dns works $IPTABLES -A OUTPUT -o eth0 -p udp --dport 53 --sport 1024: -j ACCEPT # dns works # allow http $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT #x $IPTABLES -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT # Allow ping $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT # ping works $IPTABLES -A OUTPUT -o eth0 -p icmp -j ACCEPT # # drop 8080 ddos stuff to this host # #IPTABLES -N DDOS # $IPTABLES -A INPUT -i eth0 -d 207.228.3.0/24 -p tcp --dport 8080 -j DROP # nn.com/org $IPTABLES -A INPUT -i eth0 -d 207.228.3.0/24 -p udp --dport 8080 -j DROP #IPTABLES -A DDOS -p tcp --syn -m recent --name DDOS --rcheck --seconds 600 --hitcount 1 -j DROP #IPTABLES -A INPUT -i eth0 -d 207.228.3.94/32 -p tcp --dport 8080 -j DDOS # nn.com/org #IPTABLES -A INPUT -i eth0 -d 207.228.3.108/32 -p tcp --dport 8080 -j DDOS # gigEnn.com/net/org, nn.net #IPTABLES -A INPUT -i eth0 -d 207.228.3.195/32 -p tcp --dport 8080 -j DDOS # # quietly drop everything else # ---------------------------- $IPTABLES -A INPUT -i eth0 -j DROP # #IPTABLES -A INPUT -i eth0 -j REJECT # causes chain/target mismatch problem on box #IPTABLES -A INPUT -i eth0 -j DROP # drop quietly #IPTABLES -A INPUT -i eth0 -j DENY # send deny message - lib problem on box echo "iptables initialized." echo "" ;; stop) echo -n "Stopping IP Firewall and NAT..." $IPTABLES -X $IPTABLES -F $IPTABLES -Z # Input Rules #fails $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #fails $IPTABLES -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #IPTABLES -A INPUT -i eth0 -j REJECT echo "iptables stopped." echo "" ;; restart) echo -n "Restarting IP Firewall and NAT..." $0 stop > /dev/null echo "" sleep 1 $0 start > /dev/null echo "" ;; list) $IPTABLES --list # iptables -L -v ;; *) echo "Usage: $0 {start|stop|restart|list}" ;; esac # # End of file