Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Credit goes to Mox
- ======================================
- #!/bin/sh
- IPTABLES=/sbin/iptables
- MODPROBE=/sbin/modprobe
- INT_NET=192.168.1.0/24
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -X
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- ### load connection-tracking modules
- $MODPROBE ip_conntrack
- $MODPROBE iptable_nat
- $MODPROBE ip_conntrack_ftp
- $MODPROBE ip_nat_ftp
- # PORT Scanners (stealth also)
- $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
- $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
- # TODO: Some more anti-spoofing rules? For example:
- $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- $IPTABLES -N SYN_FLOOD
- $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
- $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
- $IPTABLES -A SYN_FLOOD -j DROP
- # Make It Even Harder To Multi-PING
- $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
- $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
- $IPTABLES -A INPUT -p icmp -j DROP
- $IPTABLES -A OUTPUT -p icmp -j ACCEPT
- ###### INPUT chain ######
- echo "
- Setting up INPUT chain..."
- ### state tracking rules
- $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
- $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ### anti-spoofing rules
- $IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
- $IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP
- ### ACCEPT rules
- $IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
- ### default INPUT LOG rule
- $IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
- ###### OUTPUT chain ######
- echo "
- Setting up OUTPUT chain..."
- ### state tracking rules
- $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
- $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
- $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- ### ACCEPT rules for allowing connections out
- $IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
- $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
- ### default OUTPUT LOG rule
- $IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
- ### state tracking rules
- $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
- $IPTABLES -A FORWARD -m state --state INVALID -j DROP
- $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
- $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
- $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT
- $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
- $IPTABLES -t filter -F
- $IPTABLES -t filter -X
- $IPTABLES -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
- $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
- $IPTABLES -t filter -A INPUT -p icmp -j DROP
- $IPTABLES -t filter -A OUTPUT -p icmp -j DROP
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p udp --dport 53 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
- $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
- $IPTABLES -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
- $IPTABLES -N syn-flood
- $IPTABLES -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
- $IPTABLES -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
- $IPTABLES -A syn-flood -j DROP
- $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d 127.0.0.1 -j ACCEPT
- $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --dport 80,20,21 -d 127.0.0.1 -j ACCEPT
- $IPTABLES -A FORWARD -i venet0 -o eth1 -p tcp -d 127.0.0.1 -j ACCEPT
- $IPTABLES -A FORWARD -i venet0 -o eth1 -p tcp -m multiport --dport 80,20,21 -d 127.0.0.1 -j ACCEPT
- $IPTABLES -A FORWARD -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --syn -j ACCEPT
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
- $IPTABLES -A OUTPUT -p icmp -j ACCEPT
- $IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
- ###### NAT rules ######
- echo "
- Setting up NAT rules..."
- $IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth1 -j MASQUERADE
- ###### forwarding ######
- echo "
- Enabling IP forwarding..."
- echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables-save > /root/ipt.save
- cat /root/ipt.save | iptables-restore
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement