Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /sbin/iptables -F
- /sbin/iptables -F -t nat
- #policies
- /sbin/iptables -P OUTPUT ACCEPT
- /sbin/iptables -P INPUT DROP
- /sbin/iptables -P FORWARD ACCEPT
- /sbin/iptables -t nat -P OUTPUT ACCEPT
- /sbin/iptables -t nat -P PREROUTING ACCEPT
- /sbin/iptables -t nat -P POSTROUTING ACCEPT
- #masquerade
- /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
- #drop spoofed packets
- /sbin/iptables -A INPUT --source 127.0.0.0/8 ! --in-interface lo -j DROP
- #limit ping requests
- /sbin/iptables -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT
- #drop bogus packets
- /sbin/iptables -A INPUT -m state --state INVALID -j DROP
- /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
- /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- /sbin/iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
- #allow responses
- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #allow loopback
- /sbin/iptables -A INPUT --in-interface lo -j ACCEPT
- #allow SSH
- /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- #allow http and https
- /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- #allow samba share
- /sbin/iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 137 -j ACCEPT
- /sbin/iptables -A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 138 -j ACCEPT
- /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 139 -j ACCEPT
- /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
- #allow pptpd
- /sbin/iptables -A INPUT -p gre -j ACCEPT
- /sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
- #port forward remote desktop from public ip to private client ip inside the network
- /sbin/iptables -t nat -A PREROUTING -i eth0 -d 10.10.10.1 -p tcp --dport 3390 -j DNAT --to 192.168.0.200:3389
- /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3390 -j REDIRECT --to-port 3389
- /sbin/iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
- /sbin/iptables -A FORWARD -d 192.168.0.200 -p tcp --dport 3389 -j ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement