#!/bin/sh # # Written by Dominic Hargreaves # # This script is released without copyright. It is, or is based on, code from # . # # It is designed to be a single host, stateful, and default deny firewall. # # The commented out entries are examples which may or may not be relevant # in your environment. # # If you don't have a ulogd configured, change ULOG to LOG in the shell # variable $LOGTYPE, and logs will appear in dmesg instead. # # IMPORTANT NOTICE: By default this script will block *all* incoming # connections. This means that you *must* make sure you enable incoming # ssh, or the emergency host access, if you are implementing this over an # ssh connection. PATH=/sbin # Shortcuts IN="iptables -A INPUT -m state --state" OUT="iptables -A OUTPUT -m state --state" # Defs #LOCALNET="10.1.1.0/24" #EMERGENCY_HOST="163.1.2.4" LOGTYPE="ULOG" # Flush rules iptables -F # Emergency access #iptables -A INPUT -p tcp -s $EMERGENCY_HOST --dport 22 -j ACCEPT #iptables -A OUTPUT -p tcp -d $EMERGENCY_HOST --sport 22 -j ACCEPT # Set policies iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Delete old user-defined tables iptables -X # Set up drop and log table iptables -N DLOG iptables -A DLOG -j $LOGTYPE iptables -A DLOG -j DROP # Block and log bogons iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DLOG # Block invalid packets $IN INVALID -j DLOG # Allow outbound connections to be made $OUT NEW,RELATED,ESTABLISHED -j ACCEPT $IN RELATED,ESTABLISHED -j ACCEPT # Allow everything to/from localhost $IN NEW -i lo -j ACCEPT # Allow incoming ping #$IN NEW -p icmp --icmp-type echo-request -j ACCEPT # Allow incoming services to all #$IN NEW -p tcp -m multiport --dports ssh,www -j ACCEPT #$IN NEW -p udp -m multiport --dports ntp -j ACCEPT # Allow mail from our MX #$IN NEW -p tcp --dport smtp -s 10.1.3.1 -j ACCEPT # Allow smb from our local network #$IN NEW -p tcp -m multiport --dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds -s $LOCALNET -j ACCEPT #$IN NEW -p udp -m multiport --dports netbios-ns,netbios-dgm,netbios-ssn -s $LOCALNET -j ACCEPT # Reject kindly to prevent timeouts $IN NEW -p tcp --dport auth -j REJECT --reject-with tcp-reset # Drop these now to prevent unnecessarily logging iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP # Log everything else for diagnostics # (note that policies for INPUT,OUTPUT,FORWARD are DROP) iptables -A INPUT -j $LOGTYPE iptables -A OUTPUT -j $LOGTYPE iptables -A FORWARD -j $LOGTYPE