#!/bin/bash # Do iptables based masquerading and firewalling. # ~spot, 09/01/2002 # Set default PATH export PATH=/sbin:/usr/sbin:/bin:/usr/bin # Load NAT modules modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc # Load connection-tracking modules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc # Disable response to broadcasts. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Clean old iptables iptables -F iptables -X iptables -Z # Allow forwarding through the internal interface iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Default forward policy to DROP iptables -P FORWARD DROP # Do masquerading through eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Port Forwarding iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.100.2:22 # Firewall Rules # Loopback - Allow unlimited traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # SYN-Flooding Protection iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # Make sure that new TCP connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP # Fragments : Don't trust the little buggers. Send 'em to hell. iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP # Refuse spoofed packets claiming to be the loopback iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP # Allow BootP/DHCP UDP requests iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT # DNS # Allow UDP packets in for DNS client from nameservers iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT # SSH # allow all sshd incoming connections (including the port fw) iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT # HTTP # allow all http/https incoming/return connections iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT # FTP # allow all ftpd incoming connections iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT # Enable active ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable passive ftp transfers iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable ident probes (IRC) iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT # Allow ICMP in if it is related to other connections iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow bot traffic through iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT # enable dcc iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT # LOGGING: # UDP, log & drop iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -i eth0 -p udp -j DROP # ICMP, log & drop iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -i eth0 -p icmp -j DROP # Windows NetBIOS noise, log & drop iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: " iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP # IGMP noise, log & drop iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: " iptables -A INPUT -i eth0 -p 2 -j DROP # TCP, log & drop iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i eth0 -p tcp -j DROP # Anything else not allowed, log & drop iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: " iptables -A INPUT -i eth0 -j DROP