|
#!/bin/sh
# Use ipreset to clearall
# This allows nmap localhost but not from any other machine
# Debug:
##tcpdump -i eth0 not port 22 # Everything but ssh
# Trace, exit at 1st err
set -x -e
# Flush 1st
iptables -F
# Deletes any tables that you've created, and leaves the
# default (input, output, forward, etc.)
iptables -X
# Allow loopback access. This rule must come before the rules denying
# port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
##iptables -A INPUT -i lo -j ACCEPT
#This allows all data that has been sent out for the computer running the
# firewall to come back (for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
# Allow outside ping
iptables -A INPUT -p icmp -j ACCEPT
#These lines add rules (-A) to the OUTPUT and INPUT tables
# that match state as well. However, this time it only matches
# packets that are related to packets that have already been
# passed, or packets that are a part of an already-established
# connection (-m state --state RELATED,ESTABLISHED) and allows
# them to be accepted (-j ACCEPT). Think of this as a
# combination of yahoo sending its web page to you and you
# asking for a second one.
#/* You would need to load at least the ip_conntrack, iptable_filter and
#ipt_state modules, and would probably want to load the ip_conntrack_ftp
#module too.
#These rules should block incoming traffic which isn't associated to a
#connection which you've initiated from your machine.
#*/
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ssh
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Well, crap - we got rid of 8 rules in favor of 1
#Allow incoming FTP requests - xxx uncomment
iptables -A INPUT -p tcp -i eth0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT
## Allow Squid from local net
iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT
# Allow BitTorrent connections
# xxx 2003.1012 modified for only 3 ports (was 6881:6889)
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT
# Allow 1 VNC
iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT
#####
##### BLOCKING
#####
#Example: Block all ports, besides port 22 to allow sshd:
##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
###/sbin/iptables -A INPUT -p tcp --syn -j DROP
#Block all ports,besides port 22, and only allow predefined IP to access that
#port.
##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
##/sbin/iptables -A INPUT -p tcp --syn -j DROP
#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
#allow connection to sshd from IP 192.168.1.100
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#allow httpd server to be accessed by world
#/sbin/iptables -A INPUT -p tcp --syn -j DROP
#block all ports (besides the limitations of above)
#More elaborate rules can be created that control access to specific subnets,
#or even specific nodes, within a LAN. You can also restrict certain dubious
#services such as trojans, worms, and other client/server viruses from
#contacting their server. For example, there are some trojans that scan
#networks for services on ports from 31337 to 31340 (called the elite ports
#in cracking lingo). Since there are no legitimate services that communicate
#via these non-standard ports, blocking it can effectively diminish the
#chances that potentially infected nodes on your network independently
#communicate with their remote master servers. Note that the following rule
#is only useful if your default OUTPUT policy is set to ACCEPT. If you set
#OUTPUT policy to DROP, then this rule is not needed.
#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
# Remember, dport can only be used with -ptcp or -pudp specific.
iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
#FORWARD rules can be implemented to restrict certain types of traffic to the
#LAN only, such as local network file shares through NFS or Samba. The
#following rules reject outside connections to Samba shares:
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# remote interface, claiming to be local machines, IP spoofing, get lost
# This turns out to be same as non-routable IPs
##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP
# New way:
# Block nonroutable IPs
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP
#"A" for append, "INPUT" to specify the state for the condition (coming,
#going, or forwarding), and "sport" for source port.
# Block common Windoze ports / specific ports
iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP
iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa
iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP
# Block incoming Blaster Worm traffic on ports 153 and 707
# Chgd eth0 to ppp0, added -p tcp and got it to work
iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP
# Block infected machines from spreading Blaster Worm on 153 and 707
##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP
##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP
# !! Consider dropping all traffic to port 25 (mail)
# Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above
# Fallthru
# Default rule
# Sets the default policy (-P) for INPUT packets to DROP. If a
# packet comes into your interface and doesn't match any other
# rules, the default policy takes effect and the packet is dropped.
iptables -P INPUT DROP
# Default rule
# Sets the default policy (-P) for FORWARD packets to DROP. If
# a packet needs to be routed from one interface to another
# (such as a firewall/router with two network cards) and
# doesn't match any other rules, the default policy takes
# effect and the packet is dropped.
iptables -P FORWARD DROP
# Final rule (stopgap)
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP
exit;
# References:
# http://nekohako.xware.cx/tech/adsl-2.4.html
# http://www.redhat.com/docs/manua ... ty-guide/ch-fw.html
# http://uug.byu.edu/pipermail/uug-list/2003-April/002060.html
# http://www.linuxchix.org/piperma ... -August/016116.html
# http://linuxwiki.de/FlorianWoegerer/Notizen
# http://www.linuxforum.com/forums ... st=0&#entry5637
# http://www.ltsp.org/contrib/vnc.html
## Orig ssh mess:
# Allow ssh
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 22 -j ACCEPT
# XXX added below
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --dport 22 -j ACCEPT
#(Orig
##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT
# Added more
##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT
# UNUSED:
#To take the restrictions a step further, block all outside connections that
#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN
#uses the 192.168.1.0/24 range, a rule can set the Internet facing network
#device (for example, eth0) to drop any packets to that device with an
#address in your LAN IP range. Because it is recommended to reject forwarded
#packets as a default policy, any other spoofed IP address to the
#external-facing device (eth0) will be rejected automatically.
#
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
# xxx corrected
##iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i ppp0 -j DROP
# Block common Windoze ports / specific ports
# (this just doesnt wrk)
# I bet the reason is because -j DENY doesn't exist. Chg to DROP.
# Got it working
##iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DENY
# for transprent proxy
#> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
#> --to-port 3128 |
|