cat Documents/Scripts/iptbl #!/bin/sh # allow data connections through these devices NETDEVICES="eth0 ppp0" # open incoming ports (device:proto:ports) INCOMINGPORTS="eth0:tcp:22,23,80,443,3128,1500,6112,6111 eth0:udp:53,6112,6111 ppp0:tcp:1500,6112,6113,6220,6221,6222,8080,17337 ppp0:udp:6220,6221,6222,17337" echo "Starting firewall..." # reset all tables iptables -t filter -F iptables -t nat -F # delete all user chains iptables -t filter -X iptables -t nat -X # drop all packets by default iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP # create needed user-chains iptables -N drop_bad_packets # create a chain, that filters all bad packets: # drop all tcp-packets, that are not established and don't request a # new connection and drop every "unclean" package iptables -A drop_bad_packets -p tcp ! --syn -m state \ --state NEW -j DROP iptables -A drop_bad_packets -m state --state INVALID -j DROP # do not accept, send or forward illegal packets iptables -A INPUT -j drop_bad_packets iptables -A OUTPUT -j drop_bad_packets # drop all packets that are comming from/going to 127.0.0.1 and # are not going through loopback device iptables -A INPUT -i ! lo -s 127.0.0.1 -j DROP iptables -A INPUT -i ! lo -d 127.0.0.1 -j DROP iptables -A OUTPUT -o ! lo -s 127.0.0.1 -j DROP iptables -A OUTPUT -o ! lo -d 127.0.0.1 -j DROP # allow all connections that are comming from or going to the # loopback device and are from local host (other hosts wont be # able to write to our loopback device) iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT for i in $NETDEVICES ; do # allow incoming data for established or related connections iptables -A INPUT -i "$i" -m state \ --state ESTABLISHED,RELATED -j ACCEPT # allow incoming ping requests iptables -A INPUT -i "$i" -m state \ --state NEW --protocol icmp \ --icmp-type 8 -j ACCEPT # allow all outging data iptables -A OUTPUT -o "$i" -j ACCEPT done # allow incomming connections to tcp ports for i in $INCOMINGPORTS ; do device="`echo $i | awk -F: '{ print $1 }'`" proto="`echo $i | awk -F: '{ print $2 }'`" ports="`echo $i | awk -F: '{ print $3 }'`" if [ -z "$device" ] || [ -z "$ports" ] || [ -z "$proto" ]; then echo "wrong INCOMINGPORTS entry (ignored): '$i'" continue fi iptables -A INPUT -i "$device" -m state -m multiport \ --state NEW --protocol "$proto" \ --dport "$ports" -j ACCEPT done # reject all other incoming data instead of just dropping them iptables -A INPUT -j REJECT echo 0 > /proc/sys/net/ipv4/tcp_ecn echo 1 > /proc/sys/net/ipv4/tcp_syncookies for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 >"$f" done