IpTables Tomato Router

1. Credit goes to Mox
2. ======================================
3.  
4. #!/bin/sh
5. IPTABLES=/sbin/iptables
6. MODPROBE=/sbin/modprobe
7. INT_NET=192.168.1.0/24
8.  
9. $IPTABLES -F
10. $IPTABLES -F -t nat
11. $IPTABLES -X
12. $IPTABLES -P INPUT DROP
13. $IPTABLES -P OUTPUT DROP
14. $IPTABLES -P FORWARD DROP
15.  
16. ### load connection-tracking modules
17. $MODPROBE ip_conntrack
18. $MODPROBE iptable_nat
19. $MODPROBE ip_conntrack_ftp
20. $MODPROBE ip_nat_ftp
21.  
22.  
23. # PORT Scanners (stealth also)
24. $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
25. $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
26.  
27. # TODO: Some more anti-spoofing rules? For example:
28. $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
29. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
30. $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
31. $IPTABLES -N SYN_FLOOD
32. $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
33. $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
34. $IPTABLES -A SYN_FLOOD -j DROP
35. # Make It Even Harder To Multi-PING
36. $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
37. $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
38. $IPTABLES -A INPUT -p icmp -j DROP
39. $IPTABLES -A OUTPUT -p icmp -j ACCEPT
40.  
41. ###### INPUT chain ######
42. echo "
43.  
44. Setting up INPUT chain..."
45.  
46. ### state tracking rules
47. $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
48. $IPTABLES -A INPUT -m state --state INVALID -j DROP
49. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
50.  
51. ### anti-spoofing rules
52. $IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
53. $IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP
54.  
55. ### ACCEPT rules
56. $IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
57. $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
58.  
59. ### default INPUT LOG rule
60. $IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
61.  
62. ###### OUTPUT chain ######
63. echo "
64.  
65. Setting up OUTPUT chain..."
66.  
67. ### state tracking rules
68. $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
69. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
70. $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
71.  
72. ### ACCEPT rules for allowing connections out
73. $IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
74. $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
75. $IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
76. $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
77. $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
78. $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
79. $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
80. $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
81. $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
82.  
83. ### default OUTPUT LOG rule
84. $IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
85.  
86. ### state tracking rules
87. $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
88. $IPTABLES -A FORWARD -m state --state INVALID -j DROP
89. $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
90. $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
91. $IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
92. $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT
93. $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
94. $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT
95. $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT
96. $IPTABLES -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
97. $IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
98. $IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT
99. $IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT
100. $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
101. $IPTABLES -t filter -F
102. $IPTABLES -t filter -X
103. $IPTABLES -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
104. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
105. $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
106. $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
107. $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
108. $IPTABLES -t filter -A INPUT -p icmp -j DROP
109. $IPTABLES -t filter -A OUTPUT -p icmp -j DROP
110. $IPTABLES -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
111. $IPTABLES -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
112. $IPTABLES -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
113. $IPTABLES -t filter -A INPUT -p udp --dport 53 -j ACCEPT
114. $IPTABLES -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
115. $IPTABLES -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
116. $IPTABLES -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
117. $IPTABLES -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
118. $IPTABLES -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
119. $IPTABLES -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
120. $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
121. $IPTABLES -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
122. $IPTABLES -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
123. $IPTABLES -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
124. $IPTABLES -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
125. $IPTABLES -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
126. $IPTABLES -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
127. $IPTABLES -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
128. $IPTABLES -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
129. $IPTABLES -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
130. $IPTABLES -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
131. $IPTABLES -N syn-flood
132. $IPTABLES -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
133. $IPTABLES -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
134. $IPTABLES -A syn-flood -j DROP
135. $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d 127.0.0.1 -j ACCEPT
136. $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -m multiport --dport 80,20,21 -d 127.0.0.1 -j ACCEPT
137. $IPTABLES -A FORWARD -i venet0 -o eth1 -p tcp -d 127.0.0.1 -j ACCEPT
138. $IPTABLES -A FORWARD -i venet0 -o eth1 -p tcp -m multiport --dport 80,20,21 -d 127.0.0.1 -j ACCEPT
139. $IPTABLES -A FORWARD -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
140. $IPTABLES -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
141. $IPTABLES -A INPUT -p tcp --syn -j ACCEPT
142. $IPTABLES -A INPUT -m state --state INVALID -j DROP
143. $IPTABLES -A OUTPUT -p icmp -j ACCEPT
144. $IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
145.  
146. ###### NAT rules ######
147. echo "
148.  
149. Setting up NAT rules..."
150. $IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth1 -j MASQUERADE
151.  
152. ###### forwarding ######
153. echo "
154.  
155. Enabling IP forwarding..."
156.  
157. echo 1 > /proc/sys/net/ipv4/ip_forward
158. iptables-save > /root/ipt.save
159. cat /root/ipt.save | iptables-restore