#!/bin/sh
##################################################################
#
## rc.firewall.iptables -- Version 1.1b
#
##################################################################
## tony@involution.com
## http://www.involution.com
## 07/02/01
## Obsid@sentry.net
## http://www.sentry.net/~obsid/
## 10/20/00
## Example IPTables 1.1.2 script for a dual homed firewall.
## Please feel free to send me any comments or suggestions.
## Visit one of the NetFilter Project Home Pages for more information about IPTables.
## http://netfilter.kernelnotes.org/
## More Resources:
## http://netfilter.kernelnotes.org/unreliable-guides/networking-concepts-HOWTO.html
## http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO.html
## http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html
## http://metalab.unc.edu/pub/Linux/docs/howto/other-formats/html_single/Adv-Routing-HOWTO.html
## Variables
IPTABLES="/sbin/iptables"
INTERNAL="eth1" # Internal Interface
EXTERNAL="eth0" # External Interface
LOOPBACK="lo" # Loopback Interface
INTERNAL_NET="192.168.0.0/24"
## Attempt to Flush All Rules in Filter Table
$IPTABLES -F
## Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
## Flush Rules/Delete User Chains in Mangle Table
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
## Delete all user-defined chains, reduces dumb warnings if you run
## this script more than once.
$IPTABLES -X
## Set Default Policies
$IPTABLES -P INPUT DROP ## Highly Recommended
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#iptables -A INPUT -j LOG --log-level=info
## More variables further down near the NAT rules.
## NOTE: "Special Chains" First, Regular INPUT/OUTPUT chains will follow.
###############################################################################
## Special Chains
###############################################################################
###############################################################################
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.
$IPTABLES -N KEEP_STATE
$IPTABLES -F KEEP_STATE
## DROP packets associated with an "INVALID" connection.
$IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP
## ACCEPT certain packets which are starting a new connection or are
## related to an established connection.
$IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
## ACCEPT packets whose input interface is anything but the external interface.
$IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT
###############################################################################
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.
## We set some limits here to limit the amount of crap that gets sent to the logs.
## Keep in mind that these rules should never match normal traffic, they're
## are designed to capture obviously messed up packets... but there's alot of
## wierd shit out there, so who knows.
## Log facility/priority for these are kern.alert, please adjust for your taste. See
## the iptables and syslog.conf man pages for logging details.
$IPTABLES -N CHECK_FLAGS
$IPTABLES -F CHECK_FLAGS
## NMAP FIN/URG/PSH
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level 6 --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
## Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit \
--limit 5/minute -j LOG --log-level 6 --log-prefix "Merry XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
## Another Xmas Tree
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit \
--limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
## Null Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
## SYN/RST
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## SYN/FIN -- Scan(possibly)
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## Make some types of port scans annoyingly slow, also provides some protection
## against certain DoS attacks. The rule in chain KEEP_STATE referring to the
## INVALID state should catch most TCP packets with the RST or FIN bits set that
## aren't associate with an established connection. Still, these will limit the
## amount of stuff that is accepted through our open ports(if any). I suggest you
## test these for your configuration before you uncomment them, as they could cause
## problems.
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT
# $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT
###############################################################################
## Special Chain DENY_PORTS
## This chain will DROP/LOG packets based on port number
$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS
## NFS, X, VNC, SMB, blah blah
$IPTABLES -A DENY_PORTS -p tcp --dport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 137:139 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j DROP
## (Possibly) Evil Stuff ##
## Possible rpc.statd exploit shell
$IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
$IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:"
## NetBus and NetBus Pro
$IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "NetBus Pro:"
$IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "NetBus:"
## Trinoo
$IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
$IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "Trinoo:"
## Back Orifice
$IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP
$IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
$IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-TCP:"
$IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute \
-j LOG --log-level 6 --log-prefix "BackOrifice-UDP:"
###############################################################################
## Special Chain SRC_EGRESS
## Rules to Provide Egress Filtering Based on Source IP Address.
$IPTABLES -N SRC_EGRESS
$IPTABLES -F SRC_EGRESS
##------------------------------------------------------------------------##
## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.
## Class A Reserved
$IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP
## Class B Reserved
$IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP
## Class C Reserved
#$IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j ACCEPT
## Class D Reserved
$IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP
## Class E Reserved
$IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP
## Other Reserved Addresses ##
## The following was adapted from Jean-Sebastien Morisset's excellent IPChains
## firewall script, available at
## http://www.jsmoriss.dyndns.org/linux/rc.firewall
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 \
81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
201.0.0.0/8 \
218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
for NET in $RESERVED_NET; do
$IPTABLES -A SRC_EGRESS -s $NET -j DROP
done
##------------------------------------------------------------------------##
###############################################################################
## Special Chain DST_EGRESS
## Rules to Provide Egress Filtering Based on Destination IP Address.
$IPTABLES -N DST_EGRESS
$IPTABLES -F DST_EGRESS
##------------------------------------------------------------------------##
## DROP all reserved private IP addresses. Some of these may be legit
## for certain networks and configurations. For connection problems,
## traceroute is your friend.
## Class A Reserved
$IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP
## Class B Reserved
$IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP
## Class C Reserved
# $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j ACCEPT
## Class D Reserved
$IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP
## Class E Reserved
$IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP
## Other Reserved Addresses ##
## The following was adapted from Jean-Sebastien Morisset's excellent IPChains
## firewall script, available at
## http://www.jsmoriss.dyndns.org/linux/rc.firewall
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 \
81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
201.0.0.0/8 \
218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
for NET in $RESERVED_NET; do
$IPTABLES -A DST_EGRESS -d $NET -j DROP
done
##------------------------------------------------------------------------##
###############################################################################
## Special Chain MANGLE_OUTPUT
## Mangle values of packets created locally. Only TOS values are mangled right
## now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_OUTPUT
$IPTABLES -t mangle -F MANGLE_OUTPUT
##------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
##------------------------------------------------------------------------------##
###############################################################################
## Special Chain MANGLE_PREROUTING
## Rules to mangle TOS values of packets routed through the firewall. Only TOS
## values are mangled right now.
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)
$IPTABLES -t mangle -N MANGLE_PREROUTING
$IPTABLES -t mangle -F MANGLE_PREROUTING
##-------------------------------------------------------------------------------##
## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary.
## - To view mangle table, type: iptables -L -t mangle
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16
$IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8
##-------------------------------------------------------------------------------##
###############################################################################
## Special Chain ALLOW_EXTERNAL_PORTS
## Rules to allow packets destined for the external interface based on port
## number.
$IPTABLES -N ALLOW_PORTS-EXTERNAL
$IPTABLES -F ALLOW_PORTS-EXTERNAL
##------------------------------------------------------------------------##
## ALLOW foreign machines to access certain services.(Examples)
## SSH
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 31339 -j ACCEPT
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 1729 -j ACCEPT
$IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j ACCEPT
## WWW
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 80 -j ACCEPT
## REJECT port 113 ident requests.
# $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j REJECT
##------------------------------------------------------------------------##
###############################################################################
## Firewall Input Chains
###############################################################################
###############################################################################
## New chain for input to the external interface
$IPTABLES -N EXTERNAL-input
$IPTABLES -F EXTERNAL-input
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter incomming packets based on port number.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j DENY_PORTS
##------------------------------------------------------------------------##
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -j KEEP_STATE
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j SRC_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Allow Packets On Certain External Ports
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -j ALLOW_PORTS-EXTERNAL
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## ICMP Stuff. We're going to allow some ICMP.
## Echo Reply (pong)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT
## Destination Unreachable (blah)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT
## Echo Request (ping) -- Several Options:
## Accept Pings ##
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT
## Accept Pings at the rate of one per second. ##
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit \
# --limit 1/second -j ACCEPT
## LOG all pings. ##
# $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit \
# --limit 5/minute -j LOG --log-level 1 --log-prefix "PING:"
## TTL Exceeded (traceroute)
$IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT
##------------------------------------------------------------------------##
###############################################################################
## New chain for input to the internal interface
$IPTABLES -N INTERNAL-input
$IPTABLES -F INTERNAL-input
## ACCEPT internal to internal traffic
$IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT
## DROP anything not coming from the internal network
$IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -j DROP
##------------------------------------------------------------------------##
## Check TCP packets coming in on the external interface for wierd flags
$IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses based on Destination IP address.
$IPTABLES -A INTERNAL-input -i $INTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
###############################################################################
## New chain for input to the loopback interface
$IPTABLES -N LO-input
$IPTABLES -F LO-input
## Accept packets to the loopback interface
$IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT
###############################################################################
## Firewall Output Chains
###############################################################################
###############################################################################
## New chain for output from the external interface
$IPTABLES -N EXTERNAL-output
$IPTABLES -F EXTERNAL-output
## ACCEPT outgoing packets on the external interface
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j SRC_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter out Reserved/Private IP addresses.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j DST_EGRESS
##------------------------------------------------------------------------##
##------------------------------------------------------------------------##
## Filter outgoing packets based on port number.
$IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j DENY_PORTS
##------------------------------------------------------------------------##
###############################################################################
## New chain for output across the internal interface
$IPTABLES -N INTERNAL-output
$IPTABLES -F INTERNAL-output
## ACCEPT all outbound traffic across the internal interfaces
$IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET -j ACCEPT
$IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE
###############################################################################
## New chain for output across the loopback device
$IPTABLES -N LO-output
$IPTABLES -F LO-output
## ACCEPT all traffic across loopback device
$IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT
###############################################################################
## Main Stuff
###############################################################################
## Jumping to our INPUT chains.
$IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input
$IPTABLES -A INPUT -i $LOOPBACK -j LO-input
$IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
## Sort of a Catch-all
$IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j DROP
## Jump to our OUTPUT chains.
$IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output
$IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output
$IPTABLES -A OUTPUT -j KEEP_STATE
## Jump to our FORWARD chains.
$IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input
$IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output
$IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input
$IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output
# $IPTABLES -A FORWARD -j KEEP_STATE
## Jump to mangle table rules
$IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT
$IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING
### END FIREWALL RULES ###
###############################################################################
## IPTABLES Network Address Translation(NAT) Rules
###############################################################################
#INTERNAL_NET="192.168.1.0/24"
#EXT_IP="123.123.123.123" # IP address of the External Interface.
## Flush the NAT table.
$IPTABLES -F -t nat
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
##------------------------------------------------------------------------##
## Destination NAT -- (DNAT)
##------------------------------------------------------------------------##
## "Redirect" packets headed for certain ports on our external interface to other
## machines on the network. (Examples)
## SSH
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d 24.159.204.181 --dport 31339 \
-j DNAT --to 192.168.0.7:22
## WWW
# $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 80 \
# -j DNAT --to 192.168.69.69:80
##------------------------------------------------------------------------##
## Source NAT -- (SNAT/Masquerading)
##------------------------------------------------------------------------##
## Source NAT allows us to "masquerade" our internal machines behind our
## firewall.
## Static IP address ##
## Change source address of outgoing packets on external
## interface to our IP address.
# $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP
## Dynamic IP address ##
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
### END NAT RULES ###
###############################################################################
## Additional Kernel Configuration
###############################################################################
## Adjust for your requirements/preferences.
## Please make sure you understand what these things are doing before you
## uncomment them. A good place to start would be some of the resources
## listed at the top of this script as well as the documentation that comes
## with the linux kernel source.
## For Example: linux/Documentation/filesystems/proc.txt
## linux/Documentation/networking/ip-sysctl.txt
## - Disable source routing of packets
#if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
# for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
# echo 0 > $i;
# done
#fi
## - Enable rp_filter
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo 1 > $i;
# done
#fi
## - Ignore any broadcast icmp echo requests
#if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#fi
## - Ignore all icmp echo requests on all interfaces
#if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#fi
## - Local port range for TCP/UDP connections
#if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
# echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
#fi
## - Log packets with impossible addresses to kernel log.
#if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#fi
## - Don't accept ICMP redirects
#if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#fi
## - Don't accept ICMP redirects
## (You may only want to disable on the external interface)
#if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
# echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
#fi
## Additional options for dialup connections with a dynamic ip address
## See: linux/Documentation/networking/ip_dynaddr.txt
#if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#fi
## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
else
echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn't exist"
echo "(That may be a problem)"
fi
## EOF