API tools faq
paste
Advertisement
shokti

ubuntu 12.04 - iptables rules

shokti
Dec 27th, 2013
149
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.56 KB | None | 0 0
raw download clone embed print report
  1. /sbin/iptables -F
  2. /sbin/iptables -F -t nat
  3.  
  4. #policies
  5. /sbin/iptables -P OUTPUT ACCEPT
  6. /sbin/iptables -P INPUT DROP
  7. /sbin/iptables -P FORWARD ACCEPT
  8. /sbin/iptables -t nat -P OUTPUT ACCEPT
  9. /sbin/iptables -t nat -P PREROUTING ACCEPT
  10. /sbin/iptables -t nat -P POSTROUTING ACCEPT
  11.  
  12. #masquerade
  13. /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
  14.  
  15. #drop spoofed packets
  16. /sbin/iptables -A INPUT --source 127.0.0.0/8 ! --in-interface lo -j DROP
  17.  
  18. #limit ping requests
  19. /sbin/iptables -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
  20.  
  21. #drop bogus packets
  22. /sbin/iptables -A INPUT -m state --state INVALID -j DROP
  23. /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
  24. /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
  25. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
  26. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
  27. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
  28. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  29. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  30. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  31. /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
  32.  
  33. #allow responses
  34. /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  35.  
  36. #allow loopback
  37. /sbin/iptables -A INPUT --in-interface lo -j ACCEPT
  38.  
  39. #allow SSH
  40. /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  41.  
  42. #allow http and https
  43. /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  44. /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  45.  
  46. #allow samba share
  47. /sbin/iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT
  48. /sbin/iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
  49. /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
  50. /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
  51.  
  52. #allow pptpd
  53. /sbin/iptables -A INPUT -p gre -j ACCEPT
  54. /sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
  55.  
  56. #port forward remote desktop from public ip to private client ip inside the network
  57. /sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.10.10.1 -p tcp --dport 3390 -j DNAT --to 192.168.0.200:3389
  58. /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3390 -j REDIRECT --to-port 3389
  59. /sbin/iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
  60. /sbin/iptables -A FORWARD -d 192.168.0.200 -p tcp --dport 3389 -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!