## ============================================================ #!/bin/bash # # Example iptables firewall script. Good for a home user on a cable modem or dsl line. # Written (mostly) by Adam Haeder (adamh@omaha.org). # Load appropriate modules. modprobe ip_tables modprobe ip_conntrack modprobe ipt_LOG modprobe ipt_REJECT modprobe ipt_MASQUERADE modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state modprobe iptable_filter # Flush, zero and delete all chains iptables -F iptables -X iptables -Z # Flush, zero and delete all nat chains iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ## =========================================================== ## Some definitions: LOOPBACK_IFACE="lo" INET_IFACE="eth0" LOCAL_IFACE="eth1" BAD_IP_FILE="/etc/firewall/bad_ips" TCP_PORT_FILE="/etc/firewall/tcp_open" UDP_PORT_FILE="/etc/firewall/udp_open" #/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians /bin/echo "1" > /proc/sys/net/ipv4/ip_forward ## ============================================================ # RULES # Block all ips in $BAD_IP_FILE if [ -f $BAD_IP_FILE ]; then for bad_ip in `cat $BAD_IP_FILE` { echo "Blocking and logging all connection attempts from $bad_ip..." iptables -A INPUT -i $INET_IFACE -s $bad_ip -j LOG --log-prefix "BAD IP: " iptables -A INPUT -i $INET_IFACE -s $bad_ip -j REJECT } fi # Port forwarding # outside_ip:80 -> 10.1.1.10:80 #iptables -t nat -I PREROUTING -i $INET_IFACE -p tcp --dport 80 -j DNAT --to-dest 10.1.1.10 # Do the masquerading thing iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # Accept all traffic on the local and loopback interfaces iptables -A INPUT -i $LOCAL_IFACE -j ACCEPT iptables -A INPUT -i $LOOPBACK_IFACE -j ACCEPT # Accept tcp and udp packets on established or related connections iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # Open defined tcp ports if [ -f $TCP_PORT_FILE ]; then for tcp_port in `cat $TCP_PORT_FILE` { iptables -A INPUT -i $INET_IFACE -p tcp --dport $tcp_port -j ACCEPT } fi # Open defined udp ports if [ -f $UDP_PORT_FILE ]; then for tcp_port in `cat $UDP_PORT_FILE` { iptables -A INPUT -i $INET_IFACE -p udp --dport $tcp_port -j ACCEPT } fi # block identd with tcp-reset iptables -A INPUT -i $INET_IFACE -p tcp --dport 113 -j REJECT --reject-with tcp-reset # accept icmp iptables -A INPUT -i $INET_IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # block and log all tcp syn packets iptables -A INPUT -i $INET_IFACE -p tcp -m state --state NEW -j LOG --log-prefix "TCP SYN PACKET: " iptables -A INPUT -i $INET_IFACE -p tcp -m state --state NEW -j REJECT # Any udp not already allowed is logged and then dropped. iptables -A INPUT -p udp -j LOG --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -p udp -j DROP # Any icmp not already allowed is logged and then dropped. iptables -A INPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -p icmp -j DROP # Any tcp not already allowed is logged and then dropped. iptables -A INPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -p tcp -j DROP # Anything else not already allowed is logged and then dropped. # It will be dropped by the default policy anyway ...... but let's be paranoid. iptables -A INPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "