Packet filtering setup script Packet filtering setup script by Anthony C. Zboralski.
Download

Packet filtering setup script Ranking & Summary

Packet filtering setup script Tags

packet filtering setup packet filtering iptables firewall filtering setup

Packet filtering setup script Description

Packet filtering setup script by Anthony C. Zboralski. Packet filtering setup script by Anthony C. Zboralski. Adapted by Didi Damian for iptables version 1.0.0Sample:PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Set up variablesEXT_IF="eth0"INT_IF="eth1"EXT_IP=24.x.x.x/32INT_IP=192.168.0.1/32EXT_NET=24.x.x.0/24INT_NET=192.168.0.0/24MASQ_NETS="192.168.0.0/24"LOCAL_ADDRS="127.0.0.0/8 192.168.0.1/32 24.x.x.x/32"MAIL_RELAY=24.x.x.x/32SMB_ACCESS="192.168.0.2/32"SMB_BCAST="192.168.0.255/32"# Turn on IP forwardingecho Turning on IP forwarding.echo 1 > /proc/sys/net/ipv4/ip_forward# Load the ip_tables moduleecho Loading ip_tables module./sbin/modprobe ip_tables || exit 1 # I let the kernel dynamically load the other modulesecho Flush standard tables.iptables --flush INPUTiptables --flush OUTPUTiptables --flush FORWARDecho Deny everything until firewall setup is completed.iptables --policy INPUT DROPiptables --policy OUTPUT DROPiptables --policy FORWARD DROPCHAINS=`iptables -n -L |perl -n -e '/Chains+(S+)/ && !($1 =~ /^(INPUT|FORWARD|OUTPUT)$/) && print "$1 "'`echo Remove remaining chains:echo $CHAINSfor chain in $CHAINS; do iptables --flush $chaindone# 2nd step cause of dependenciesfor chain in $CHAINS; do iptables --delete-chain $chaindonefor net in $MASQ_NETS; do # I delete all the rules so you can rerun the scripts without bloating # your nat entries. iptables -D POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE 2>/dev/null iptables -A POSTROUTING -t nat -s $MASQ_NETS -j MASQUERADE || exit 1done iptables --policy FORWARD ACCEPT# Create a target for logging and dropping packetsiptables --new LDROP 2>/dev/nulliptables -A LDROP --proto tcp -j LOG --log-level info --log-prefix "TCP Drop "iptables -A LDROP --proto udp -j LOG --log-level info --log-prefix "UDP Drop "iptables -A LDROP --proto icmp -j LOG --log-level info --log-prefix "ICMP Drop "iptables -A LDROP --proto gre -j LOG --log-level info --log-prefix "GRE Drop "iptables -A LDROP -f -j LOG --log-level emerg --log-prefix "FRAG Drop "iptables -A LDROP -j DROP# Create a table for watching some accepting rulesiptables --new WATCH 2>/dev/nulliptables -A WATCH -m limit -j LOG --log-level warn --log-prefix "ACCEPT "iptables -A WATCH -j ACCEPTecho Special target for local addresses:iptables --new LOCAL 2>/dev/nullecho $LOCAL_ADDRSfor ip in $LOCAL_ADDRS; do iptables -A INPUT --dst $ip -j LOCAL# iptables -A INPUT --src $ip -i ! lo -j LDROP # lame spoof protectdoneecho Authorize mail from mail relay.iptables -A LOCAL --proto tcp --syn --src $MAIL_RELAY --dst $EXT_IP --dport 25 -j ACCEPTecho Authorizing samba access to:echo $SMB_ACCESSiptables --new SMB 2>/dev/nullfor ip in $SMB_ACCESS; do iptables -A SMB -s $ip -j ACCEPTdoneiptables -A LOCAL --proto udp -i ! $EXT_IF --dport 135:139 -j SMBiptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 135:139 -j SMBiptables -A LOCAL --proto tcp -i ! $EXT_IF --dport 445 -j SMBiptables -A INPUT -i ! $EXT_IF --dst $SMB_BCAST -j ACCEPT #lame samba broadcastecho Drop and log every other incoming tcp connection attempts.iptables -A LOCAL -i ! lo --proto tcp --syn --j LDROPecho Authorize dns access for local nets.for net in $MASQ_NETS 127.0.0.0/8; do iptables -A INPUT --proto udp --src $net --dport 53 -j ACCEPTdoneecho Enforcing up ICMP policies, use iptables -L ICMP to check.# If you deny all ICMP messages you head for trouble since it would# break lots of tcp/ip algorythm (acz)iptables --new ICMP 2>/dev/nulliptables -A INPUT --proto icmp -j ICMPiptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPTiptables -A ICMP -p icmp --icmp-type destination-unreachable -j WATCHiptables -A ICMP -p icmp --icmp-type network-unreachable -j WATCHiptables -A ICMP -p icmp --icmp-type host-unreachable -j WATCHiptables -A ICMP -p icmp --icmp-type protocol-unreachable -j WATCHiptables -A ICMP -p icmp --icmp-type port-unreachable -j ACCEPTiptables -A ICMP -p icmp --icmp-type fragmentation-needed -j LDROP iptables -A ICMP -p icmp --icmp-type source-route-failed -j WATCH iptables -A ICMP -p icmp --icmp-type network-unknown -j WATCHiptables -A ICMP -p icmp --icmp-type host-unknown -j WATCHiptables -A ICMP -p icmp --icmp-type network-prohibited -j WATCH iptables -A ICMP -p icmp --icmp-type host-prohibited -j WATCHiptables -A ICMP -p icmp --icmp-type TOS-network-unreachable -j WATCHiptables -A ICMP -p icmp --icmp-type TOS-host-unreachable -j WATCHiptables -A ICMP -p icmp --icmp-type communication-prohibited -j WATCH iptables -A ICMP -p icmp --icmp-type host-precedence-violation -j LDROP iptables -A ICMP -p icmp --icmp-type precedence-cutoff -j LDROP iptables -A ICMP -p icmp --icmp-type source-quench -j LDROP iptables -A ICMP -p icmp --icmp-type redirect -j LDROP iptables -A ICMP -p icmp --icmp-type network-redirect -j LDROP iptables -A ICMP -p icmp --icmp-type host-redirect -j LDROP iptables -A ICMP -p icmp --icmp-type TOS-network-redirect -j LDROP iptables -A ICMP -p icmp --icmp-type TOS-host-redirect -j LDROP iptables -A ICMP -p icmp --icmp-type echo-request -j WATCHiptables -A ICMP -p icmp --icmp-type router-advertisement -j LDROP iptables -A ICMP -p icmp --icmp-type router-solicitation -j LDROP iptables -A ICMP -p icmp --icmp-type time-exceeded -j WATCHiptables -A ICMP -p icmp --icmp-type ttl-zero-during-transit -j WATCH iptables -A ICMP -p icmp --icmp-type ttl-zero-during-reassembly -j WATCH iptables -A ICMP -p icmp --icmp-type parameter-problem -j WATCH iptables -A ICMP -p icmp --icmp-type ip-header-bad -j WATCH iptables -A ICMP -p icmp --icmp-type required-option-missing -j WATCH iptables -A ICMP -p icmp --icmp-type timestamp-request -j LDROP iptables -A ICMP -p icmp --icmp-type timestamp-reply -j LDROP iptables -A ICMP -p icmp --icmp-type address-mask-request -j LDROP iptables -A ICMP -p icmp --icmp-type address-mask-reply -j LDROP iptables -A ICMP -p icmp -j LDROP echo Authorize tcp traffic.iptables -A INPUT --proto tcp -j ACCEPTecho Authorize packet output.iptables --policy OUTPUT ACCEPT#echo reject ident if you drop em you gotta wait for timeout#iptables -I LOCAL --proto tcp --syn --dst $EXT_IP --dport 113 -j REJECTecho Drop and log all udp below 1024.iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LDROPecho Drop rpc dynamic udp port:RPC_UDP=`rpcinfo -p localhost|perl -n -e '/.*udps+(d+)s+/ && print $1,"n"'|sort -u`echo $RPC_UDPfor port in $RPC_UDP; do iptables -A LOCAL -i ! lo --proto udp --dport $port -j LDROPdoneecho Authorize udp above 1024.iptables -A INPUT --proto udp --dport 1024: -j ACCEPT

Packet filtering setup script Related Software