#!/bin/sh
#
# Local Copy
# --------------------------
#	http://www.Linux-Sec.net/Firewall/Scripts/rc.iptable.brandonhutchinson.txt
#
#
# Original File
# -------------
#	http://www.brandonhutchinson.com/iptables_fw.html
#
#
# 27-Jun-04 amo Date-of-Birth
#
#
# Kernel monitoring support
#
# More information:
#	/usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
#
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html
#
#
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
/sbin/iptables --flush

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP

# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow incoming TCP port 22 (ssh) traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

#
# Rmove this to make a syslog entry of dropped packets,
# 
# Drop all other traffic
# /sbin/iptables -A INPUT -j DROP
#
#
# Create a LOGDROP chain to log and drop packets
# ==============================================
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP

# Drop all other traffic
# /sbin/iptables -A INPUT -j LOGDROP

# Drop all other traffic into a separate file instead
# ----------------------------------------------------
/sbin/iptables -A INPUT -j LOGDROP --log-level debug
#
#   vi /etc/syslog.conf
#	# Send iptables LOGDROPs to /var/log/iptables
#	kern.=debug		/var/log/iptables
#
#	( note the TABS -- NOT spaces )
#
#
# Have these rules take effect when iptables is started
/sbin/service iptables save
#
#
# End of file