AllixD Firewall Script

From SlackWiki
Jump to navigation Jump to search

I use this. It does not allow any incoming data, so it's no good for NFS servers.



# Let's make sure forwarding is DISABLED:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Let's enable SYN cookies (to protect against SYN floods):
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Let's disable TCP timestamps to reduce the TCP stack workload:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps

# Let's enable reverse path filtering for anti-spoofing:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Let's ignore PINGs which have been BROADCAST:
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Let's disable source routed packets as they are ridiculous:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Let's allow redirects from trusted gateways only:
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

# Let's log any UFOs which are spotted:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Let's flush-out all the chains in our tables:
$IPT -F -t nat
$IPT -F -t mangle

# Let's delete every non-builtin chains in our tables:
$IPT -X -t nat
$IPT -X -t mangle

# Let's set our INPUT policy to DROP:

# Let's set our OUTPUT policy to ACCEPT, because we can
# appreciate this kinda flexibility on a Home PC:

# Let's accept incoming packets which belong to connections
# that have ALREADY been initiated:

# Let's allow all packets initiating new connections LOCALLY:
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT

# Let's log every packet that reaches this rule, right before
# it hits our INPUT policy and gets a DROP:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

# Let's load the module allowing Connection Tracking for FTP:
/sbin/modprobe ip_conntrack_ftp

# Let's load the module allowing Connection Tracking for IRC:
/sbin/modprobe ip_conntrack_irc

# No rc.firewall script is complete without the ubiquitous echo:
echo "So let it be written. So let it be done."