Simple firewall

From SlackWiki
Jump to: navigation, search

This script should suit most people well - simply edit the EXT_IF variable below and replace it with your network interface that's connected to the net. --rworkman

#!/bin/bash

# Define variables
IPT=/usr/sbin/iptables		# change if needed
EXT_IF=eth0			# external interface (connected to internet)

# Enable TCP SYN Cookie Protection
# ** comment the line below if it throws an error;
# ** TCP_SYN_COOKIES must be enabled in the kernel
# ** for this to work
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Log spoofed packets, source-routed packets, and redirect packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Set default policy to DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

# Flush old rules
$IPT -F

# Allow loopback traffic
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow packets of established connections and those 
#   which are related to established connections
$IPT -A INPUT -i $EXT_IF -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming ssh from internet 
# ** (uncomment the line below if you want to allow incoming ssh)
#$IPT -A INPUT -i $EXT_IF -p tcp --destination-port 22 -m state --state NEW -j ACCEPT