#!/bin/sh # # ------ FIREWALL SETTINGS FOR LINUX PC IN LNF ------ # # Flush and Reset all filters # iptables -F -t filter iptables -F -t nat iptables -X # # Initialize the INPUT, OUTPUT, FORWARD tables, all FORWARD packets are dropped iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # # Build and Flush a new table for SYN packets for better filtering # iptables -N SYN iptables -F SYN # #Accept all from loopback # iptables -A INPUT -i lo -j ACCEPT # # ------ FILTERS Global ------ # Put here all filters u want to REJECT or DROP always # # # Drop all invalid packets # # iptables -A INPUT -i eth0 -m state --state INVALID -j LOG --log-prefix "INVALID PACKETS: " iptables -A INPUT -m state --state INVALID -j DROP # # Drop all fragments of packets # # iptables -A INPUT -i eth0 -f -j LOG --log-prefix "FRAGMENTS PACKETS: " iptables -A INPUT -f -j DROP # # Drop all packets coming from suspicious nets (spoofing) # # iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-prefix SPOOFING iptables -A INPUT -s 127.0.0.0/8 -j DROP # iptables -A INPUT -i eth0 -s 224.0/8 -j LOG --log-prefix SPOOFING iptables -A INPUT -s 224.0/8 -j DROP # iptables -A INPUT -i eth0 -s 172.16.0.0/16 -j LOG --log-prefix SPOOFING # iptables -A INPUT -i eth0 -s 172.16.0.0/16 -j DROP # iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix SPOOFING iptables -A INPUT -s 10.0.0.0/8 -j DROP # # We have these private networks on our LAN so they are disabled # # iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix SPOOFING # iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP # # Reject all packets from outside claiming to be the loopback # (quence source attack) # # iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix LOOPBACK iptables -A INPUT -d 127.0.0.0/8 -j DROP # # Reject all NEW connections not beginning with a SYN packet # # iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW CONN WITHOUT SYN: " iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT # # ------ FILTERS FOR ICMP protocol ------ # # Accept 4/s pings for internal LANs and 4/s pings for external WANs and Drop all the rest # iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/s -s 192.168.202.0/24 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/s -s ! 192.168.202.0/24 -j ACCEPT # iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j LOG --log-prefix "PING FLOOD: " iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # # ------ END ICMP ------ # # ------ FILTERS ------ # # Accept all tcp connections ESTABLISHED # iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT # # Accept all udp connections if ESTABLISHED # iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT # # Accept all new tcp connections and send them to the SYN # table to filter them # iptables -A INPUT -p tcp --syn -j SYN # # Feautures of the SYN table: # Accept all new connections to port 22 only from internal LAN with the limit above 3/s # # iptables -A SYN -p tcp --destination-port 22 -s 192.168.202.0/24 -d 193.205.228.102/32 -j DROP iptables -A SYN -p tcp --destination-port 22 -d 193.205.228.102/32 -m connlimit ! --connlimit-above 3 -j ACCEPT # # and then reject all the rest # # iptables -A SYN -j LOG --log-prefix "CONNECTION REFUSED: " iptables -A SYN -j REJECT # # Reject all on tcp # # iptables -A INPUT -i eth0 -p tcp -j LOG --log-prefix "REJECT ALL THE REST: " iptables -A INPUT -p tcp -j REJECT # # Accept all udp packets to port 7001 (afs3-callback) # # iptables -A INPUT -i eth0 -p udp --destination-port 7001 -j LOG --log-prefix "AFS Callback: " iptables -A INPUT -p udp --destination-port 7001 -j ACCEPT # # Accept all udp packets to port 1812-1813-1814 (radiusd) # iptables -A INPUT -p udp --destination-port 1812 -j ACCEPT iptables -A INPUT -p udp --destination-port 1813 -j ACCEPT iptables -A INPUT -p udp --destination-port 1814 -j ACCEPT # # Reject all udp packets # # iptables -A INPUT -i eth0 -p udp -j LOG --log-prefix "REJECT UDP: " iptables -A INPUT -p udp -j REJECT # # ------ END FILTERS ------ # # Accept and limit ping request and echo reply # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 5/s -i eth1 -s 192.168.202.0/24 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 5/s -j ACCEPT # # Accept all udp connections to DNS # iptables -A FORWARD -p udp -d 193.206.84.12 --dport 53 -j ACCEPT iptables -A FORWARD -p udp -d 193.206.84.112 --dport 53 -j ACCEPT # # Accept all tcp connections ESTABLISHED # iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -m state --state RELATED -j ACCEPT # # Accept all udp connections if ESTABLISHED # iptables -A FORWARD -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -m state --state RELATED -j ACCEPT # # Accept and limit http and https to 16 connections from host # iptables -A FORWARD -p tcp --syn --destination-port 22 -s 192.168.202.0/24 -m connlimit ! --connlimit-above 8 -j ACCEPT iptables -A FORWARD -p tcp --syn --destination-port 80 -s 192.168.202.0/24 -m connlimit ! --connlimit-above 32 -j ACCEPT iptables -A FORWARD -p tcp --syn --destination-port 443 -s 192.168.202.0/24 -m connlimit ! --connlimit-above 32 -j ACCEPT # # Accept and limit all others tcp connections to 32 connections from host # iptables -A FORWARD -p tcp --syn -s 192.168.202.0/24 -m connlimit ! --connlimit-above 32 -j ACCEPT iptables -A FORWARD -p udp -s 192.168.202.0/24 -m connlimit ! --connlimit-above 32 -j ACCEPT # # and then reject all the rest # iptables -A FORWARD -j DROP # # # Source NAT to one IP # iptables -t nat -A POSTROUTING -j LOG --log-level info --log-prefix " NAT: " -m state --state NEW iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 193.205.228.102 # # Save all the configuration to the file /etc/sysconfig/iptables # iptables-save -c > /etc/sysconfig/iptables # # Clear the screen # #clear # # Restart the iptable service # /etc/rc.d/init.d/iptables stop && /etc/rc.d/init.d/iptables start