#!/bin/sh # # Local Copy # ----------- # http://www.Linux-Sec.net/Firewall/Scripts/rc.iptable.start.stop.txt # # Original File # ------------- # http://finmath.uchicago.edu/~wilder/Security/iptables/iptables_ws # # # 27-Jun-04 amo Date-of-Birth # # MYIP=xxx.xxx.xxx.xxx PATH=/sbin:$PATH export PATH # Disable ping responses. Redundant since iptables is # also set up to ignore echo requests. /bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all /bin/echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't allow source routing /bin/echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Prevent bad error messages /bin/echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Prevent IP spoofing attempts /bin/echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter case $1 in 'start') echo -n "Setting IP Firewall rules: " # Allow everything while setting up rules iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Flush current settings iptables -F iptables -X iptables -Z # Accept traffic from ourself iptables -A INPUT -j ACCEPT -i lo # Refuse broadcast traffic iptables -A INPUT -j DROP -d ! $MYIP # Drop bogus connection attempts but accept continuing connections # One can log the bogus connections if one wants. iptables -A INPUT -j ACCEPT -p tcp -m state --state ESTABLISHED,RELATED #iptables -A INPUT -j LOG --log-prefix "DROP_SYN: " \ #-p tcp ! --syn -m state --state NEW iptables -A INPUT -j DROP -p tcp ! --syn -m state --state NEW # Allow ssh connections from anywhere iptables -A INPUT -j ACCEPT -p tcp --dport ssh # Allow certain types of icmp traffic, like responses to ping requests iptables -N icmpin iptables -A INPUT -p icmp -j icmpin icmpoktypes="0 3 5 11" for icmpok in $icmpoktypes; do iptables -A icmpin -j ACCEPT -p icmp --icmp-type $icmpok done iptables -A icmpin -j DROP -p icmp # Allow dns. Automatically obtains the addresses of dns # servers from /etc/resolv.conf. iptables -N dnsin iptables -A INPUT -p udp --sport 53 -j dnsin iptables -A INPUT -p tcp --sport 53 -j dnsin dnsservers=`grep '^nameserver' /etc/resolv.conf | awk '{print $2}'` for dnsserver in $dnsservers; do iptables -A dnsin -j ACCEPT -p udp -s $dnsserver --sport 53 iptables -A dnsin -j ACCEPT -p tcp -s $dnsserver --sport 53 done iptables -A dnsin -j DROP # Allow ntp. Automatically obtains the addresses of ntp # servers from /etc/ntp.conf. iptables -N ntpin iptables -A INPUT -p udp --dport 123 -j ntpin iptables -A INPUT -p udp --sport 123 -j ntpin ntpnames=`grep '^server' /etc/ntp.conf | awk '{print $2}'` ntphosts=`for ntphost in $ntpnames; \ do host $ntphost | tail -1 | awk '{print $NF}'; done` for ntphost in $ntphosts; do iptables -A ntpin -j ACCEPT -p udp -s $ntphost --dport 123 iptables -A ntpin -j ACCEPT -p udp -s $ntphost --sport 123 done iptables -A ntpin -j DROP # Allow rsync to do backups with "rsynchosts", a space-separated # list of ip addresses. rsynchosts=""; for rsynchost in $rsynchosts; do iptables -A INPUT -j ACCEPT -p tcp -s $rsynchost --dport 873 done # Reject with reset ident queries from inside UChicago. In this # case it is needed for connecting to a Solaris email server. iptables -N identin iptables -A INPUT -p tcp --dport 113 -j identin #iptables -A identin -j LOG --log-prefix "REJECT_IDENT: " \ #-p tcp -s 128.135.0.0/16 --dport 113 iptables -A identin -p tcp -s 128.135.0.0/16 -j REJECT \ --reject-with tcp-reset iptables -A identin -j DROP # Reject and log other packets iptables -A INPUT -j LOG --log-prefix "DROP_DEFAULT: " # Default policies: nothing in, everything out, no forwarding iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP echo "done." ;; 'stop') echo -n "Clearing IP Firewall rules: " # Flush current settings iptables -F # Allow everything except forwarding iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP echo "done." ;; 'status') iptables -L ;; esac # # End of file