Tightly secured firewall for general use

Tightly secured firewall for general use is an iptables firewall script.
Tightly secured firewall for general use is an iptables firewall script.

Sample:

#!/bin/sh
echo "Initializing modules..."
cd /lib/modules/2.4.1/kernel/net/ipv4/netfilter
insmod ip_tables
insmod ip_conntrack
insmod ipt_state
insmod ipt_limit
#insmod iptable_mangle
#insmod ipt_PERS
echo "Flushing rules.."
#iptables -F PREROUTING
#iptables -t mangle -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
if [ "$1" == "start" ]; then
echo "Setting up spoof protection..."
for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $blah
done
echo "Setting default routes..."
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "Configuring external interface rulesets..."
#iptables -t mangle -A PREROUTING -j PERS --local --tweak dst --conf /etc/win9x.conf
#iptables -t mangle -A OUTPUT -j PERS --local --tweak src --conf /etc/win9x.conf
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255/32 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.0.2.0/24 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -f -j DROP
iptables -A INPUT -i eth0 -p TCP -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -p TCP --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 1024:5000 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024:5000 -d 0/0 --dport 1998 -j ACCEPT
#iptables -A INPUT -i eth0 -p TCP -s 0/0 --sport 1024:5000 -d 0/0 --dport 1999 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 1998 -j ACCEPT
#iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 1999 -j ACCEPT
#iptables -A INPUT -i eth0 -p UDP -j DENY
iptables -A INPUT -i eth0 -p UDP -s 0/0 --sport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p UDP -s 0/0 --sport 161 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 0/0 --sport ntp -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 0/0 --dport ntp -j ACCEPT
iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-reply -j ACCEPT
echo "Configuring routing rulesets..."
iptables -A FORWARD -i eth0 -d 205.188.153.139/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.153.140/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.153.141/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.7.168/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.7.164/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.7.178/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.7.172/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.7.176/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.5.208/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.4.159/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.3.160/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.3.176/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.5.204/32 -j DROP
iptables -A FORWARD -i eth0 -d 205.188.153.139/32 -j DROP
iptables -A FORWARD -i eth0 -d 209.185.128.132/32 -j DROP
iptables -A FORWARD -i eth0 -d 152.163.241.128/32 -j DROP
iptables -A FORWARD -i eth0 -d 152.163.242.24/32 -j DROP
iptables -A FORWARD -i eth0 -d 152.163.242.28/32 -j DROP
iptables -A FORWARD -i eth0 -d 152.163.241.120/32 -j DROP
iptables -A FORWARD -i eth0 -p TCP --sport 1024: --dport 9898 -j DROP
iptables -A FORWARD -i eth0 -d 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -d 127.0.0.0/8 -j DROP
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -A FORWARD -i eth0 -p TCP --syn -m limit --limit 10/s -j ACCEPT
iptables -A FORWARD -i eth0 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT
echo "Configuring internal interface rulesets..."
iptables -A INPUT -i lo -j ACCEPT
echo "IPtables firewall configuration completed."
fi

last updated on:
February 14th, 2007, 15:04 GMT
price:
FREE!
developed by:
Packetstorm
homepage:
www.linuxguruz.com
license type:
GPL (GNU General Public License) 
category:
ROOT \ System \ Networking

FREE!

In a hurry? Add it to your Download Basket!

user rating

UNRATED
0.0/5
 

0/5

Rate it!

Add your review!

SUBMIT