| 1 |
Hello, |
| 2 |
Can anyone good with iptables give this script a once over? It is |
| 3 |
working, but in a very inconsistent manner, sometimes it lets traffic in, |
| 4 |
other times not. Two things it does not have are dhcp rules as this box gets |
| 5 |
it's address via dhcp and cifs rules, this machine mounts cifs shares, if |
| 6 |
anyone has those i'd appreciate them. This is a single nic box, not a router |
| 7 |
just an internal client i'd like to protect. |
| 8 |
Adapted from: |
| 9 |
|
| 10 |
http://www.novell.com/coolsolutions/feature/18139.html |
| 11 |
|
| 12 |
Thanks. |
| 13 |
Dave. |
| 14 |
|
| 15 |
#!/bin/bash |
| 16 |
# |
| 17 |
# Script for iptables firewall |
| 18 |
|
| 19 |
# define variables |
| 20 |
IF_PUB=eth0 |
| 21 |
IP_PUB=192.168.0.106 |
| 22 |
NET_PRV=192.168.0.0/24 |
| 23 |
ANYWHERE=0.0.0.0/0 |
| 24 |
|
| 25 |
# set up default policies |
| 26 |
iptables -P INPUT DROP |
| 27 |
iptables -P OUTPUT DROP |
| 28 |
iptables -P FORWARD DROP |
| 29 |
|
| 30 |
# remove any existing rules |
| 31 |
iptables -F -t nat |
| 32 |
iptables -F -t mangle |
| 33 |
iptables -F -t filter |
| 34 |
# Removes any user-defined chains |
| 35 |
iptables -X |
| 36 |
|
| 37 |
# If the machine is a router enable the next line |
| 38 |
#echo 1 > /proc/sys/net/ipv4/ip_forward |
| 39 |
|
| 40 |
# forward from the public interface |
| 41 |
#iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j |
| 42 |
ACCEPT |
| 43 |
|
| 44 |
# allow everything to and from the loopback |
| 45 |
iptables -A INPUT -i lo -j ACCEPT |
| 46 |
iptables -A OUTPUT -o lo -j ACCEPT |
| 47 |
|
| 48 |
# allow communications on the local network |
| 49 |
# This allows unrestricted communications |
| 50 |
#iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT |
| 51 |
# This allows only established or forwarded connections |
| 52 |
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 53 |
iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT |
| 54 |
|
| 55 |
# If your doing nat |
| 56 |
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB |
| 57 |
|
| 58 |
# allow various types of ICMP |
| 59 |
# 8 for echo request, echo response, destination unreachable, and time |
| 60 |
exceeded |
| 61 |
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT |
| 62 |
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT |
| 63 |
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT |
| 64 |
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT |
| 65 |
|
| 66 |
# allow ssh |
| 67 |
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute |
| 68 |
--limit-burst 1 -j ACCEPT |
| 69 |
|
| 70 |
# mail and web server on a different host |
| 71 |
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j |
| 72 |
DNAT --to 192.168.1.254 |
| 73 |
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j |
| 74 |
DNAT --to 192.168.1.253 |
| 75 |
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p |
| 76 |
tcp --dport http -j ACCEPT |
| 77 |
|
| 78 |
# send a tcp reject |
| 79 |
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
| 80 |
|
| 81 |
# block irc |
| 82 |
#iptables -A INPUT -p tcp --dport irc -j DROP |
| 83 |
#iptables -A INPUT -p udp --dport irc -j DROP |
| 84 |
#iptables -A INPUT -p tcp --dport irc-serv -j DROP |
| 85 |
#iptables -A INPUT -p udp --dport irc-serv -j DROP |
| 86 |
#iptables -A INPUT -p tcp --dport ircs -j DROP |
| 87 |
#iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC, |
| 88 |
IRC server and Secure IRC traffic. |
| 89 |
|
| 90 |
# block a specific host |
| 91 |
#iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with |
| 92 |
icmp-host-prohibited |
| 93 |
|
| 94 |
# traffic from one port to another |
| 95 |
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j |
| 96 |
DNAT --to 192.168.1.254:443 |
| 97 |
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p |
| 98 |
tcp --dport 443 -j ACCEPT |
Archives