#!/bin/bash # # Load modules: # modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp # # RFC 1700 states that the include file, /usr/include/netinet/in.h, # defines a constant, IPPORT_RESERVED, to be 1024. Port numbers 0 to # 1023, inclusive, are reserved for privileged processes, eg., # root. Port numbers 1024 to 65535 are assumed reserved for processes # not necessarily privileged. This means that non-privileged ports are # specified 1024:65535. # # The Linux specific range of local return port numbers, from # /proc/sys/net/ipv4/ip_local_port_range: 1024-4999 # # Meaning that for Linux, 1024:65535 could be replaced with 1024:4999. # # RFC 1918 defines the Private Internet address ranges: # # 10.0.0.0 - 10.255.255.255 (10/8 prefix) # 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) # 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) # # This address range should be used for Network Address # Translation/masquarading of internal networks; 10.7/12 in this # rule set. # # The IANA reserved address space is listed in # http://www.iana.org/assignments/ipv4-address-space. # # These address ranges should be blocked, in addition to the unused # private Internet ranges. # # Written by John Conover . # # Simple firewall rules. # PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin export PATH test -x /sbin/iptables || exit 1 # case $1 in start|restart|force-reload) # # Start the firewall rules: # echo "Starting firewall" # # STRONG blocking = more secure, restricting access to specific # outgoing port addresses # # WEAK blocking = less secure, without restricting any access to # outgoing port addresses # # Both are stateful constructs, chose one or the other: # # FWBLOCKING=STRONG FWBLOCKING=WEAK # # Internal interface: # INIF="eth0" # # INIF's IP address: # INIP="10.7.2.92" # # The internal local network: # INNET="10.7.2.0/16" # BROADCAST="10.7.2.255" LOOPBACK="127.0.0.0/8" # CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/4" P_PORTS="0:1023" UP_PORTS="1024:65535" TR_SRC_PORTS="32769:65535" TR_DEST_PORTS="33434:33523" # ############################################################################### # # Initialize the chains, and set default policy of DROP: # iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ############################################################################### # # Kernel flags: # # Disable response to ping: # /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # # Disable response to broadcasts: # /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # Enable TCP SYN cookies: # /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies # # Enable bad error messages protection: # /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # # Disable IP forwarding: # /bin/echo "0" > /proc/sys/net/ipv4/ip_forward # # Don't send redirects, (only use redirects if acting as a # router,) send_redirects = 0. # # Reject insecure redirects, accept_redirects = 0. # # Redirects can be abused to perform man-in-the-middle attacks; # enable redirects from trusted sources only, secure_redirects = # 1. # # Disable inbound source routed packets to prevent spoofed IP # addresses, accept_source_route = 0. # # Turn of bootp relaying, bootp_relay = 0. # # Send an ARP for address to which we have a route, (only send ARP # if acting as a host,) proxy_arp = 0 # # Log any packets that have IP addresses that shouldn't exist, # log_martians = 1 # # Do not respond to packets that would go out a different # interface than the one the packet came in, rp_filter = 1. # for interface in /proc/sys/net/ipv4/conf/* do echo "0" > ${interface}/send_redirects echo "0" > ${interface}/accept_redirects echo "1" > ${interface}/secure_redirects echo "0" > ${interface}/accept_source_route echo "0" > ${interface}/bootp_relay echo "0" > ${interface}/proxy_arp echo "1" > ${interface}/log_martians echo "1" > ${interface}/rp_filter done # ############################################################################### # # Enable the local interface: # iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # ############################################################################### # # Syn flood protection: # # Maximize the rate of incoming connections. In order to do this # we divert tcp packets with the SYN bit set off to a user-defined # chain. Up to limit-burst connections can arrive in 1/limit # seconds; in this case 4 connections in one second. After this, # one of the burst is regained every second and connections are # allowed again. The default limit is 3/hour. The default limit # burst is 5. # iptables -N syn-flood iptables -A INPUT -i $INIF -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j LOG --log-prefix "$INIF Input TCP Syn Flood: " iptables -A syn-flood -j DROP # ############################################################################### # # New tcp connections must be made with Syn packets: # iptables -A INPUT -i $INIF -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "$INIF Input TCP Syn: " iptables -A INPUT -i $INIF -p tcp ! --syn -m state --state NEW -j DROP # ############################################################################### # # Refuse spoofed packets pretending to be from the INIP IP # address: # iptables -A INPUT -i $INIF -s $INIP -j LOG --log-prefix "$INIF Input Spoof: " iptables -A INPUT -i $INIF -s $INIP -j DROP # # Refuse packets claiming to be from a Class A private network: # # iptables -A INPUT -i $INIF -s $CLASS_A -j LOG --log-prefix "$INIF Input Class A Private: " # iptables -A INPUT -i $INIF -s $CLASS_A -j DROP # # Refuse packets claiming to be from a Class B private network, # (INNET is a Class B private network-its commented out): # iptables -A INPUT -i $INIF -s $CLASS_B -j LOG --log-prefix "$INIF Input Class B Private: " iptables -A INPUT -i $INIF -s $CLASS_B -j DROP # # Refuse packets claiming to be from a Class C private network: # iptables -A INPUT -i $INIF -s $CLASS_C -j LOG --log-prefix "$INIF Input Class C Private: " iptables -A INPUT -i $INIF -s $CLASS_C -j DROP # # Refuse Class D multicast addresses. Multicast is illegal as a # source address: # iptables -A INPUT -i $INIF -s $CLASS_D_MULTICAST -j LOG --log-prefix "$INIF Input Multicast: " iptables -A INPUT -i $INIF -s $CLASS_D_MULTICAST -j DROP # # Refuse Class E reserved IP addresses: # iptables -A INPUT -i $INIF -s $CLASS_E_RESERVED_NET -j LOG --log-prefix "$INIF Input Class E: " iptables -A INPUT -i $INIF -s $CLASS_E_RESERVED_NET -j DROP # # Refuse packets claiming to be to the loopback interface: # iptables -A INPUT -i $INIF -d $LOOPBACK -j LOG --log-prefix "$INIF Input Loopback Spoof: " iptables -A INPUT -i $INIF -d $LOOPBACK -j DROP # # Refuse broadcast address packets: # iptables -A INPUT -i $INIF -d $BROADCAST -j LOG --log-prefix "$INIF Input Broadcast: " iptables -A INPUT -i $INIF -d $BROADCAST -j DROP # # Refuse IANA reserved address ranges: # # From http://www.iana.org/assignments/ipv4-address-space, (R) = # IANA Reserved, (M) = IANA Multicast, (legal as source, only) # # 000.000.000.000 00000000 /7 (R) # 001.000.000.000 00000001 - (R) # 002.000.000.000 00000010 /8 (R) # 003.000.000.000 00000011 # 004.000.000.000 00000100 # 005.000.000.000 00000101 /8 (R) # 006.000.000.000 00000110 # 007.000.000.000 00000111 # 008.000.000.000 00001000 # 009.000.000.000 00001001 # 010.000.000.000 00001010 # 011.000.000.000 00001011 # 012.000.000.000 00001100 # 013.000.000.000 00001101 # 014.000.000.000 00001110 /8 (R) # 015.000.000.000 00001111 # 016.000.000.000 00010000 # 017.000.000.000 00010001 # 018.000.000.000 00010010 # 019.000.000.000 00010011 # 020.000.000.000 00010100 # 021.000.000.000 00010101 # 022.000.000.000 00010110 # 023.000.000.000 00010111 /8 (R) # 024.000.000.000 00011000 # 025.000.000.000 00011001 # 026.000.000.000 00011010 # 027.000.000.000 00011011 /8 (R) # 028.000.000.000 00011100 # 029.000.000.000 00011101 # 030.000.000.000 00011110 # 031.000.000.000 00011111 /8 (R) # 032.000.000.000 00100000 # 033.000.000.000 00100001 # 034.000.000.000 00100010 # 035.000.000.000 00100011 # 036.000.000.000 00100100 /7 (R) # 037.000.000.000 00100101 - (R) # 038.000.000.000 00100110 # 039.000.000.000 00100111 /8 (R) # 040.000.000.000 00101000 # 041.000.000.000 00101001 # 042.000.000.000 00101010 /8 (R) # 043.000.000.000 00101011 # 044.000.000.000 00101100 # 045.000.000.000 00101101 # 046.000.000.000 00101110 /8 (R) # 047.000.000.000 00101111 # 048.000.000.000 00110000 # 049.000.000.000 00110001 /8 (R) # 050.000.000.000 00110010 /8 (R) # 051.000.000.000 00110011 # 052.000.000.000 00110100 # 053.000.000.000 00110101 # 054.000.000.000 00110110 # 055.000.000.000 00110111 # 056.000.000.000 00111000 # 057.000.000.000 00111001 # 058.000.000.000 00111010 # 059.000.000.000 00111011 # 060.000.000.000 00111100 # 061.000.000.000 00111101 # 062.000.000.000 00111110 # 063.000.000.000 00111111 # 064.000.000.000 01000000 # 065.000.000.000 01000001 # 066.000.000.000 01000010 # 067.000.000.000 01000011 # 068.000.000.000 01000100 # 069.000.000.000 01000101 # 070.000.000.000 01000110 # 071.000.000.000 01000111 # 072.000.000.000 01001000 # 073.000.000.000 01001001 # 074.000.000.000 01001010 # 075.000.000.000 01001011 # 076.000.000.000 01001100 # 077.000.000.000 01001101 # 078.000.000.000 01001110 # 079.000.000.000 01001111 # 080.000.000.000 01010000 # 081.000.000.000 01010001 # 082.000.000.000 01010010 # 083.000.000.000 01010011 # 084.000.000.000 01010100 # 085.000.000.000 01010101 # 086.000.000.000 01010110 # 087.000.000.000 01010111 # 088.000.000.000 01011000 # 089.000.000.000 01011001 # 090.000.000.000 01011010 # 091.000.000.000 01011011 # 092.000.000.000 01011100 # 093.000.000.000 01011101 # 094.000.000.000 01011110 # 095.000.000.000 01011111 # 096.000.000.000 01100000 # 097.000.000.000 01100001 # 098.000.000.000 01100010 # 099.000.000.000 01100011 # 100.000.000.000 01100100 /6 (R) # 101.000.000.000 01100101 - (R) # 102.000.000.000 01100110 - (R) # 103.000.000.000 01100111 - (R) # 104.000.000.000 01101000 /6 (R) # 105.000.000.000 01101001 - (R) # 106.000.000.000 01101010 - (R) # 107.000.000.000 01101011 - (R) # 108.000.000.000 01101100 # 109.000.000.000 01101101 # 110.000.000.000 01101110 # 111.000.000.000 01101111 # 112.000.000.000 01110000 # 113.000.000.000 01110001 # 114.000.000.000 01110010 # 115.000.000.000 01110011 # 116.000.000.000 01110100 # 117.000.000.000 01110101 # 118.000.000.000 01110110 # 119.000.000.000 01110111 # 120.000.000.000 01111000 # 121.000.000.000 01111001 # 122.000.000.000 01111010 # 123.000.000.000 01111011 # 124.000.000.000 01111100 # 125.000.000.000 01111101 # 126.000.000.000 01111110 # 127.000.000.000 01111111 - (R) # 128.000.000.000 10000000 # 129.000.000.000 10000001 # 130.000.000.000 10000010 # 131.000.000.000 10000011 # 132.000.000.000 10000100 # 133.000.000.000 10000101 # 134.000.000.000 10000110 # 135.000.000.000 10000111 # 136.000.000.000 10001000 # 137.000.000.000 10001001 # 138.000.000.000 10001010 # 139.000.000.000 10001011 # 140.000.000.000 10001100 # 141.000.000.000 10001101 # 142.000.000.000 10001110 # 143.000.000.000 10001111 # 144.000.000.000 10010000 # 145.000.000.000 10010001 # 146.000.000.000 10010010 # 147.000.000.000 10010011 # 148.000.000.000 10010100 # 149.000.000.000 10010101 # 150.000.000.000 10010110 # 151.000.000.000 10010111 # 152.000.000.000 10011000 # 153.000.000.000 10011001 # 154.000.000.000 10011010 # 155.000.000.000 10011011 # 156.000.000.000 10011100 # 157.000.000.000 10011101 # 158.000.000.000 10011110 # 159.000.000.000 10011111 # 160.000.000.000 10100000 # 161.000.000.000 10100001 # 162.000.000.000 10100010 # 163.000.000.000 10100011 # 164.000.000.000 10100100 # 165.000.000.000 10100101 # 166.000.000.000 10100110 # 167.000.000.000 10100111 # 168.000.000.000 10101000 # 169.000.000.000 10101001 # 170.000.000.000 10101010 # 171.000.000.000 10101011 # 172.000.000.000 10101100 # 173.000.000.000 10101101 # 174.000.000.000 10101110 # 175.000.000.000 10101111 /8 (R) # 176.000.000.000 10110000 /7 (R) # 177.000.000.000 10110001 - (R) # 178.000.000.000 10110010 # 179.000.000.000 10110011 /8 (R) # 180.000.000.000 10110100 # 181.000.000.000 10110101 /8 (R) # 182.000.000.000 10110110 /8 (R) # 183.000.000.000 10110111 # 184.000.000.000 10111000 # 185.000.000.000 10111001 /8 (R) # 186.000.000.000 10111010 # 187.000.000.000 10111011 # 188.000.000.000 10111100 # 189.000.000.000 10111101 # 190.000.000.000 10111110 # 191.000.000.000 10111111 # 192.000.000.000 11000000 # 193.000.000.000 11000001 # 194.000.000.000 11000010 # 195.000.000.000 11000011 # 196.000.000.000 11000100 # 197.000.000.000 11000101 # 198.000.000.000 11000110 # 199.000.000.000 11000111 # 200.000.000.000 11001000 # 201.000.000.000 11001001 # 202.000.000.000 11001010 # 203.000.000.000 11001011 # 204.000.000.000 11001100 # 205.000.000.000 11001101 # 206.000.000.000 11001110 # 207.000.000.000 11001111 # 208.000.000.000 11010000 # 209.000.000.000 11010001 # 210.000.000.000 11010010 # 211.000.000.000 11010011 # 212.000.000.000 11010100 # 213.000.000.000 11010101 # 214.000.000.000 11010110 # 215.000.000.000 11010111 # 216.000.000.000 11011000 # 217.000.000.000 11011001 # 218.000.000.000 11011010 # 219.000.000.000 11011011 # 220.000.000.000 11011100 # 221.000.000.000 11011101 # 222.000.000.000 11011110 # 223.000.000.000 11011111 /8 (R) # 224.000.000.000 11100000 /4 (M) # 225.000.000.000 11100001 - (M) # 226.000.000.000 11100010 - (M) # 227.000.000.000 11100011 - (M) # 228.000.000.000 11100100 - (M) # 229.000.000.000 11100101 - (M) # 230.000.000.000 11100110 - (M) # 231.000.000.000 11100111 - (M) # 232.000.000.000 11101000 - (M) # 233.000.000.000 11101001 - (M) # 234.000.000.000 11101010 - (M) # 235.000.000.000 11101011 - (M) # 236.000.000.000 11101100 - (M) # 237.000.000.000 11101101 - (M) # 238.000.000.000 11101110 - (M) # 239.000.000.000 11101111 - (M) # 240.000.000.000 11110000 /4 (R) # 241.000.000.000 11110001 - (R) # 242.000.000.000 11110010 - (R) # 243.000.000.000 11110011 - (R) # 244.000.000.000 11110100 - (R) # 245.000.000.000 11110101 - (R) # 246.000.000.000 11110110 - (R) # 247.000.000.000 11110111 - (R) # 248.000.000.000 11111000 - (R) # 249.000.000.000 11111001 - (R) # 250.000.000.000 11111010 - (R) # 251.000.000.000 11111011 - (R) # 252.000.000.000 11111100 - (R) # 253.000.000.000 11111101 - (R) # 254.000.000.000 11111110 - (R) # 255.000.000.000 11111111 - (R) # iptables -A INPUT -s 0.0.0.0/7 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 0.0.0.0/7 -j DROP iptables -A OUTPUT -d 0.0.0.0/7 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 0.0.0.0/7 -j REJECT iptables -A INPUT -s 2.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 2.0.0.0/8 -j DROP iptables -A OUTPUT -d 2.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 2.0.0.0/8 -j REJECT iptables -A INPUT -s 5.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 5.0.0.0/8 -j DROP iptables -A OUTPUT -d 5.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 5.0.0.0/8 -j REJECT iptables -A INPUT -s 14.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 14.0.0.0/8 -j DROP iptables -A OUTPUT -d 14.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 14.0.0.0/8 -j REJECT iptables -A INPUT -s 23.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 23.0.0.0/8 -j DROP iptables -A OUTPUT -d 23.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 23.0.0.0/8 -j REJECT iptables -A INPUT -s 27.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 27.0.0.0/8 -j DROP iptables -A OUTPUT -d 27.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 27.0.0.0/8 -j REJECT iptables -A INPUT -s 31.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 31.0.0.0/8 -j DROP iptables -A OUTPUT -d 31.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 31.0.0.0/8 -j REJECT iptables -A INPUT -s 36.0.0.0/7 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 36.0.0.0/7 -j DROP iptables -A OUTPUT -d 36.0.0.0/7 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 36.0.0.0/7 -j REJECT iptables -A INPUT -s 39.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 39.0.0.0/8 -j DROP iptables -A OUTPUT -d 39.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 39.0.0.0/8 -j REJECT iptables -A INPUT -s 42.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 42.0.0.0/8 -j DROP iptables -A OUTPUT -d 42.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 42.0.0.0/8 -j REJECT iptables -A INPUT -s 46.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 46.0.0.0/8 -j DROP iptables -A OUTPUT -d 46.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 46.0.0.0/8 -j REJECT iptables -A INPUT -s 49.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 49.0.0.0/8 -j DROP iptables -A OUTPUT -d 49.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 49.0.0.0/8 -j REJECT iptables -A INPUT -s 50.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 50.0.0.0/8 -j DROP iptables -A OUTPUT -d 50.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 50.0.0.0/8 -j REJECT iptables -A INPUT -s 100.0.0.0/6 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 100.0.0.0/6 -j DROP iptables -A OUTPUT -d 100.0.0.0/6 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 100.0.0.0/6 -j REJECT iptables -A INPUT -s 104.0.0.0/6 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 104.0.0.0/6 -j DROP iptables -A OUTPUT -d 104.0.0.0/6 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 104.0.0.0/6 -j REJECT iptables -A INPUT -s 175.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 175.0.0.0/8 -j DROP iptables -A OUTPUT -d 175.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 175.0.0.0/8 -j REJECT iptables -A INPUT -s 176.0.0.0/7 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 176.0.0.0/7 -j DROP iptables -A OUTPUT -d 176.0.0.0/7 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 176.0.0.0/7 -j REJECT iptables -A INPUT -s 179.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 179.0.0.0/8 -j DROP iptables -A OUTPUT -d 179.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 179.0.0.0/8 -j REJECT iptables -A INPUT -s 181.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 181.0.0.0/8 -j DROP iptables -A OUTPUT -d 181.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 181.0.0.0/8 -j REJECT iptables -A INPUT -s 182.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 182.0.0.0/8 -j DROP iptables -A OUTPUT -d 182.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 182.0.0.0/8 -j REJECT iptables -A INPUT -s 185.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 185.0.0.0/8 -j DROP iptables -A OUTPUT -d 185.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 185.0.0.0/8 -j REJECT iptables -A INPUT -s 223.0.0.0/8 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 223.0.0.0/8 -j DROP iptables -A OUTPUT -d 223.0.0.0/8 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 223.0.0.0/8 -j REJECT iptables -A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 224.0.0.0/4 -j DROP iptables -A OUTPUT -d 224.0.0.0/4 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 224.0.0.0/4 -j REJECT iptables -A INPUT -s 240.0.0.0/4 -j LOG --log-prefix "$INIF Input IANA Reserved: " iptables -A INPUT -s 240.0.0.0/4 -j DROP iptables -A OUTPUT -d 240.0.0.0/4 -j LOG --log-prefix "$INIF Output IANA Reserved: " iptables -A OUTPUT -d 240.0.0.0/4 -j REJECT # # Refuse Netbios packets, (inputs are blocked by default policy; # the packet is handled with a REJECT, instead of a DROP, since it # was generated locally, and the DROP timeout is inappropriate; # blocks internally generated requests for external # Bootp/Netbios/RPC services): # iptables -A INPUT -p tcp -i $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j LOG --log-prefix "$INIF Input TCP Netbios: " iptables -A INPUT -p tcp -i $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j DROP iptables -A OUTPUT -p tcp -o $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j LOG --log-prefix "$INIF Output TCP Netbios: " iptables -A OUTPUT -p tcp -o $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j REJECT iptables -A INPUT -p udp -i $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j LOG --log-prefix "$INIF Input TCP Netbios: " iptables -A INPUT -p udp -i $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j DROP iptables -A OUTPUT -p udp -o $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j LOG --log-prefix "$INIF Output TCP Netbios: " iptables -A OUTPUT -p udp -o $INIF -d 0.0.0.0/0 -m multiport --dport 67,68,135,137,138,139,445 -j REJECT # # Refuse non-local input packets to privileged ports, (probably # handled by default): # iptables -A INPUT -p tcp -i $INIF -s ! $INNET -d $INIP --dport $P_PORTS -j LOG --log-prefix "$INIF Input Privileged: " iptables -A INPUT -p tcp -i $INIF -s ! $INNET -d $INIP --dport $P_PORTS -j DROP # # Issue a REJECT for external auth requests, (required by some # broken SMTP engines if this machine is an SMTP host): # # iptables -A INPUT -i $INIF -p tcp --dport auth -j REJECT --reject-with tcp-reset # ############################################################################### # # Custom chain for handling ICMP: first purge any existing ICMP packets: # # 0: echo reply (pong) # 3: destination-unreachable (port-unreachable, fragmentation-needed etc). # 4: source quench # 5: redirect # 8: echo request (ping) # 9: router advertisement # 10: router solicitation # 11: time-exceeded # 12: parameter-problem # 13: timestamp request # 14: timestamp reply # 15: information request # 16: information reply # 17: address mask request # 18: address mask reply # # Purge any existing ICMP packets: # iptables -N icmp-in iptables -N icmp-out # iptables -A INPUT -i $INIF -p icmp -j icmp-in iptables -A OUTPUT -o $INIF -p icmp -j icmp-out # # Accept 0,3,4,11,12,14,16,18 input: # iptables -A icmp-in -i $INIF -p icmp --icmp-type 0 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 3 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 4 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 11 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 12 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 14 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 16 -s 0/0 -d $INIP -j RETURN iptables -A icmp-in -i $INIF -p icmp --icmp-type 18 -s 0/0 -d $INIP -j RETURN # # Allow 4,8,12,13,15,17 output: # iptables -A icmp-out -o $INIF -p icmp --icmp-type 4 -s $INIP -d 0/0 -j RETURN iptables -A icmp-out -o $INIF -p icmp --icmp-type 8 -s $INIP -d 0/0 -j RETURN iptables -A icmp-out -o $INIF -p icmp --icmp-type 12 -s $INIP -d 0/0 -j RETURN iptables -A icmp-out -o $INIF -p icmp --icmp-type 13 -s $INIP -d 0/0 -j RETURN iptables -A icmp-out -o $INIF -p icmp --icmp-type 15 -s $INIP -d 0/0 -j RETURN iptables -A icmp-out -o $INIF -p icmp --icmp-type 17 -s $INIP -d 0/0 -j RETURN # # Any ICMP not already allowed is logged and then dropped, (except # type 3 destination-unreachable, etc., responses which were # probably generated by DNS UDP timeouts, and will be simply # dropped to avoid filling up the log files): # iptables -A icmp-out -o $INIF -p icmp --icmp-type 3 -s $INIP -d 0/0 -j DROP # iptables -A icmp-in -i $INIF -j LOG --log-prefix "$INIF Input ICMP: " iptables -A icmp-in -i $INIF -j DROP iptables -A icmp-out -o $INIF -j LOG --log-prefix "$INIF Output ICMP: " iptables -A icmp-out -o $INIF -j DROP # # Returned from ICMP input chain, and packet can be accepted if # related to other connections: # iptables -A INPUT -i $INIF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # # Returned from ICMP output chain, the packet can be accepted # under all circumstances: # iptables -A OUTPUT -o $INIF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # if [ "${FWBLOCKING}" = "STRONG" ] then # ############################################################################### # # Local network TCP services provided by this machine: # # (Ports 20025 = qmail-qread, 20026 = mailf, 20030 = mpg123, 20031 # = mpg123.cont, 20032 = mpg123.int, 20033 = mpg123.stop, 20034 = # mpg123.term, 20060 fetchmail; all running under tcpserver(1).) # iptables -A INPUT -i $INIF -p tcp -s $INNET -m multiport --dport ssh,smtp,whois,domain,www,pop-3,auth,imap2,https,ipp,webcache -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i $INIF -p tcp -s $INNET -m multiport --dport 20025,20026,20030,20031,20032,20033,20034,20060 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp -d $INNET -m multiport --sport ssh,smtp,whois,domain,www,pop-3,auth,imap2,https,ipp,webcache -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp -d $INNET -m multiport --sport 20025,20026,20030,20031,20032,20033,20034,20060 -m state --state ESTABLISHED -j ACCEPT # ############################################################################### # # Local network UDP services provided by this machine: # iptables -A INPUT -i $INIF -p udp -s $INNET -m multiport --dport ssh,domain,www,pop-3,imap2,https,ipp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p udp -d $INNET -m multiport --sport ssh,domain,www,pop-3,imap2,https,ipp -m state --state ESTABLISHED -j ACCEPT # ############################################################################### # # External network VPN TCP services: # # (smtp 40025 localhost to 30025 green.rahul.net, pop-3 40110 # localhost to 30110 green.rahul.net, nntp, 40119 localhost to # 30119 green.rahul.net, imap, 40143 localhost to 30143 # green.rahul.net, imap, 41143 localhost to 31143 green.rahul.net, # webcache, 48080 localhost to 38080 green.rahul.net; # green.rahul.net = 192.160.13.49.) # iptables -A INPUT -i $INIF -p tcp -m multiport -s 192.160.13.0/24 --sport 30025,30110,30119,30143,31143,38080 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp -m multiport -d 192.160.13.0/24 --dport 30025,30110,30119,30143,31143,38080 -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # External network TCP services: # iptables -A INPUT -i $INIF -p tcp -m multiport --sport ssh,smtp,whois,domain,www,pop-3,auth,imap2,https,webcache -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp -m multiport --dport ssh,smtp,whois,domain,www,pop-3,auth,imap2,https,webcache -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # External network UDP services: # iptables -A INPUT -i $INIF -p udp --sport domain -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p udp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # Additions for external network ftp service: # # Allow ftp outbound: # iptables -A INPUT -i $INIF -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT # # Active ftp involves a connection inbound from port 20 on a # remote machine, to a local port passed over the ftp channel via # a PORT command. The ip_conntrack_ftp module recognizes the # connection as RELATED to the original outgoing connection to # port 21 so a new state match is not necessary: # iptables -A INPUT -i $INIF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # # Passive ftp involves a connection outbound from a port greater # than 1023 on the local machine, to a port greater than 1023 on # the remote machine previously passed over the ftp channel via a # PORT command. The ip_conntrack_ftp module recognizes the # connection as RELATED to the original outgoing connection to # port 21 so a new state match is not necessary: # iptables -A INPUT -i $INIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT # ############################################################################### # # Additions for tracerount(8), the reply to a traceroute is an # icmp time-exceeded): # iptables -A OUTPUT -o $INIF -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT # else # ############################################################################### # # Local network TCP services provided by this machine: # iptables -A INPUT -i $INIF -p tcp -s $INNET -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp -d $INNET -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # Local network UDP services provided by this machine: # iptables -A INPUT -i $INIF -p udp -s $INNET -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p udp -d $INNET -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # External network TCP services: # iptables -A INPUT -i $INIF -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # External network UDP services: # iptables -A INPUT -i $INIF -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INIF -p udp -m state --state NEW,ESTABLISHED -j ACCEPT # ############################################################################### # # Additions for external network ftp service: # # Active ftp involves a connection inbound from port 20 on a # remote machine, to a local port passed over the ftp channel via # a PORT command. The ip_conntrack_ftp module recognizes the # connection as RELATED to the original outgoing connection to # port 21 so a new state match is not necessary: # iptables -A INPUT -i $INIF -p tcp --sport 20 -m state --state RELATED -j ACCEPT # # Passive ftp involves a connection outbound from a port greater # than 1023 on the local machine, to a port greater than 1023 on # the remote machine previously passed over the ftp channel via a # PORT command. The ip_conntrack_ftp module recognizes the # connection as RELATED to the original outgoing connection to # port 21 so a new state match is not necessary: # iptables -A OUTPUT -o $INIF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state RELATED -j ACCEPT # fi ############################################################################### # # Logging, these packets will be logged and dropped: # # UDP: # iptables -A INPUT -i $INIF -p udp -j LOG --log-prefix "$INIF Input UDP: " iptables -A INPUT -i $INIF -p udp -j DROP iptables -A OUTPUT -o $INIF -p udp -j LOG --log-prefix "$INIF Output UDP: " iptables -A OUTPUT -o $INIF -p udp -j DROP # # ICMP: # iptables -A INPUT -i $INIF -p icmp -j LOG --log-prefix "$INIF Input ICMP: " iptables -A INPUT -i $INIF -p icmp -j DROP iptables -A OUTPUT -o $INIF -p icmp -j LOG --log-prefix "$INIF Output TCP: " iptables -A OUTPUT -o $INIF -p icmp -j DROP # # TCP: # iptables -A INPUT -i $INIF -p tcp -j LOG --log-prefix "$INIF Input TCP: " iptables -A INPUT -i $INIF -p tcp -j DROP iptables -A OUTPUT -o $INIF -p tcp -j LOG --log-prefix "$INIF Output TCP: " iptables -A OUTPUT -o $INIF -p tcp -j DROP # # Anything else: # iptables -A INPUT -i $INIF -j LOG --log-prefix "$INIF Input: " iptables -A INPUT -i $INIF -j DROP iptables -A OUTPUT -o $INIF -j LOG --log-prefix "$INIF Output: " iptables -A OUTPUT -o $INIF -j DROP # ############################################################################### ;; open) # echo "Opening firewall" ############################################################################### # # Initialize the chains, and set default policy of ACCEPT: # iptables -F iptables -X iptables -Z iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # ############################################################################### ;; stop) # echo "Stopping firewall" ############################################################################### # # Initialize the chains, and set default policy of DROP: # iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ############################################################################### ;; esac # # A license is hereby granted to reproduce this software for personal, # non-commercial use. # # THIS PROGRAM IS PROVIDED "AS IS". THE AUTHOR PROVIDES NO WARRANTIES # WHATSOEVER, EXPRESSED OR IMPLIED, INCLUDING WARRANTIES OF # MERCHANTABILITY, TITLE, OR FITNESS FOR ANY PARTICULAR PURPOSE. THE # AUTHOR DOES NOT WARRANT THAT USE OF THIS PROGRAM DOES NOT INFRINGE THE # INTELLECTUAL PROPERTY RIGHTS OF ANY THIRD PARTY IN ANY COUNTRY. # # So there. # # Copyright (c) 1992-2009, John Conover, , All # Rights Reserved. # # $Revision: 1.0 $ # $Date: 2009/05/26 21:43:30 $ # $Id: iptables.txt,v 1.0 2009/05/26 21:43:30 conover Exp $ # $Log: iptables.txt,v $ # Revision 1.0 2009/05/26 21:43:30 conover # Initial revision #