AllixD Firewall Script
Jump to navigation
Jump to search
I use this. It does not allow any incoming data, so it's no good for NFS servers.
#!/bin/sh IPT="/usr/sbin/iptables" # Let's make sure forwarding is DISABLED: echo "0" > /proc/sys/net/ipv4/ip_forward # Let's enable SYN cookies (to protect against SYN floods): echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Let's disable TCP timestamps to reduce the TCP stack workload: echo "0" > /proc/sys/net/ipv4/tcp_timestamps # Let's enable reverse path filtering for anti-spoofing: echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter # Let's ignore PINGs which have been BROADCAST: echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Let's disable source routed packets as they are ridiculous: echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Let's allow redirects from trusted gateways only: echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects # Let's log any UFOs which are spotted: echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # Let's flush-out all the chains in our tables: $IPT -F $IPT -F -t nat $IPT -F -t mangle # Let's delete every non-builtin chains in our tables: $IPT -X $IPT -X -t nat $IPT -X -t mangle # Let's set our INPUT policy to DROP: $IPT -P INPUT DROP # Let's set our OUTPUT policy to ACCEPT, because we can # appreciate this kinda flexibility on a Home PC: $IPT -P OUTPUT ACCEPT # Let's accept incoming packets which belong to connections # that have ALREADY been initiated: $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Let's allow all packets initiating new connections LOCALLY: $IPT -A INPUT -i lo -m state --state NEW -j ACCEPT # Let's log every packet that reaches this rule, right before # it hits our INPUT policy and gets a DROP: $IPT -A INPUT -j LOG --log-prefix "INPUT DROP: " # Let's load the module allowing Connection Tracking for FTP: /sbin/modprobe ip_conntrack_ftp # Let's load the module allowing Connection Tracking for IRC: /sbin/modprobe ip_conntrack_irc # No rc.firewall script is complete without the ubiquitous echo: echo "So let it be written. So let it be done."