Simple firewall
Jump to navigation
Jump to search
This script should suit most people well - simply edit the EXT_IF variable below and replace it with your network interface that's connected to the net. --rworkman
#!/bin/bash # Define variables IPT=/usr/sbin/iptables # change if needed EXT_IF=eth0 # external interface (connected to internet) # Enable TCP SYN Cookie Protection # ** comment the line below if it throws an error; # ** TCP_SYN_COOKIES must be enabled in the kernel # ** for this to work echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Do not send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable broadcast echo protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable source-routed packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Log spoofed packets, source-routed packets, and redirect packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Set default policy to DROP $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP # Flush old rules $IPT -F # Allow loopback traffic $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT # Allow packets of established connections and those # which are related to established connections $IPT -A INPUT -i $EXT_IF -p all -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow incoming ssh from internet # ** (uncomment the line below if you want to allow incoming ssh) #$IPT -A INPUT -i $EXT_IF -p tcp --destination-port 22 -m state --state NEW -j ACCEPT