[gentoo-user] iptables firewall script

Dave Fri, 17 Jul 2009 04:12:02 -0700

Hello,
        Can anyone good with iptables give this script a once over? It is
working, but in a very inconsistent manner, sometimes it lets traffic in,
other times not. Two things it does not have are dhcp rules as this box gets
it's address via dhcp and cifs rules, this machine mounts cifs shares, if
anyone has those i'd appreciate them. This is a single nic box, not a router
just an internal client i'd like to protect.
Adapted from:


http://www.novell.com/coolsolutions/feature/18139.html

Thanks.
Dave.

#!/bin/bash
#
# Script for iptables firewall

# define variables
IF_PUB=eth0
IP_PUB=192.168.0.106
NET_PRV=192.168.0.0/24
ANYWHERE=0.0.0.0/0

# set up default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# remove any existing rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Removes any user-defined chains
iptables -X

# If the machine is a router enable the next line
#echo 1 > /proc/sys/net/ipv4/ip_forward

# forward from the public interface
#iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
ACCEPT

# allow everything to and from the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow communications on the local network
# This allows unrestricted communications
#iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
# This allows only established or forwarded connections
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

# If your doing nat
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB

# allow various types of ICMP
# 8 for echo request, echo response, destination unreachable, and time
exceeded
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# allow ssh
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
--limit-burst 1 -j ACCEPT

# mail and web server on a different host
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.1.253
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
tcp --dport http -j ACCEPT

# send a tcp reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

# block irc
#iptables -A INPUT -p tcp --dport irc -j DROP
#iptables -A INPUT -p udp --dport irc -j DROP
#iptables -A INPUT -p tcp --dport irc-serv -j DROP
#iptables -A INPUT -p udp --dport irc-serv -j DROP
#iptables -A INPUT -p tcp --dport ircs -j DROP
#iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
IRC server and Secure IRC traffic.

# block a specific host
#iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
icmp-host-prohibited

# traffic from one port to another
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
DNAT --to 192.168.1.254:443
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
tcp --dport 443 -j ACCEPT

[gentoo-user] iptables firewall script

Reply via email to