#!/bin/bashSERVICES_UDP=""SERVICES_TCP="80" iptables -Fiptables -t n

1. #!/bin/bash
2.  
3. SERVICES_UDP=""
4. SERVICES_TCP="80"
5.  
6. iptables -F
7. iptables -t nat -F
8. iptables -t mangle -F
9. iptables -X
10. iptables -t nat -X
11. iptables -t mangle -X
12.  
13. iptables -P OUTPUT  ACCEPT
14. iptables -P INPUT   DROP
15. iptables -P FORWARD DROP
16.  
17. iptables -N other_packets
18. iptables -A other_packets -p ALL -m state --state INVALID -j DROP
19. iptables -A other_packets -p icmp -m limit --limit 1/s -j ACCEPT
20. iptables -A other_packets -p ALL -j RETURN
21.  
22. iptables -N service_sec
23. iptables -A service_sec -p tcp --syn -m limit --limit 2/s -j ACCEPT
24. iptables -A service_sec -p tcp ! --syn -m state --state NEW -j DROP
25. iptables -A service_sec -p tcp --tcp-flags ALL NONE -m limit --limit 1/h -j ACCEPT
26. iptables -A service_sec -p tcp --tcp-flags ALL ALL -m limit --limit 1/h -j ACCEPT
27. iptables -A service_sec -p tcp --tcp-flags ALL ALL -j DROP
28. iptables -A service_sec -p tcp --tcp-flags ALL NONE -j DROP
29. iptables -I service_sec -i eth0 -s 10.0.0.0/8 -j DROP
30. iptables -I service_sec -i eth0 -s 172.16.0.0/12 -j DROP
31. iptables -I service_sec -i eth0 -s 192.168.0.0/16 -j DROP
32. iptables -I service_sec -i eth0 -s 127.0.0.0/8 -j DROP
33. iptables -A service_sec -p icmp --icmp-type echo-request -i eth0 -j DROP
34. iptables -I service_sec -p icmp --icmp-type redirect -j DROP
35. iptables -I service_sec -p icmp --icmp-type router-advertisement -j DROP
36. iptables -I service_sec -p icmp --icmp-type router-solicitation -j DROP
37. iptables -I service_sec -p icmp --icmp-type address-mask-request -j DROP
38. iptables -I service_sec -p icmp --icmp-type address-mask-reply -j DROP
39. iptables -A service_sec -p ALL -j RETURN
40.  
41. iptables -N reject_packets
42. iptables -A reject_packets -p tcp -j REJECT --reject-with tcp-reset
43. iptables -A reject_packets -p udp -j REJECT --reject-with icmp-port-unreachable
44. iptables -A reject_packets -p icmp -j REJECT --reject-with icmp-host-unreachable
45. iptables -A reject_packets -j REJECT --reject-with icmp-proto-unreachable
46. iptables -A reject_packets -p ALL -j RETURN
47.  
48. iptables -N services
49. for port in $SERVICES_TCP ; do
50.        iptables -A services -p tcp --dport $port -j service_sec
51.        iptables -A services -p tcp --dport $port -j ACCEPT
52. done
53. for port in $SERVICES_UDP ; do
54.        iptables -A services -p udp --dport $port -j service_sec
55.        iptables -A services -p udp --dport $port -j ACCEPT
56. done
57. iptables -A services -p ALL -j RETURN
58.  
59. iptables -A INPUT -p ALL -i lo -j ACCEPT
60. iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
61. iptables -A INPUT -p ALL -j other_packets
62. iptables -A INPUT -p ALL -j services
63. iptables -A INPUT -p ALL -m limit --limit 10/s -j reject_packets
64. iptables -A INPUT -p tcp --dport 22 -j DROP
65. iptables -A INPUT -p tcp --dport 98 -j DROP
66. iptables -A INPUT -p tcp --dport 113 -j DROP
67. iptables -A INPUT -p tcp --dport 135 -j DROP
68. iptables -A INPUT -p tcp --dport 135 -j DROP
69. iptables -A INPUT -p tcp --dport 445 -j DROP
70. iptables -A INPUT -p tcp --dport 901 -j DROP
71. iptables -A INPUT -p tcp --dport 4662 -j DROP
72. iptables -A INPUT -p tcp --dport 3389 -j DROP
73. iptables -A INPUT -p tcp --dport 6000 -j DROP
74. iptables -A INPUT -p tcp --dport 10000 -j DROP
75. iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
76. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
77. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
78.  
79. iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn \
80.     -m recent --name synflood --set
81. iptables -A INPUT -m state --state NEW -p tcp -m tcp --syn \
82.     -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
83.  
84. iptables -A INPUT -s 10.0.0.0/8     -j DROP
85. iptables -A INPUT -s 169.254.0.0/16 -j DROP
86. iptables -A INPUT -s 172.16.0.0/12  -j DROP
87. iptables -A INPUT -s 127.0.0.0/8    -j DROP
88. iptables -A INPUT -s 224.0.0.0/4      -j DROP
89. iptables -A INPUT -d 224.0.0.0/4      -j DROP
90. iptables -A INPUT -s 240.0.0.0/5      -j DROP
91. iptables -A INPUT -d 240.0.0.0/5      -j DROP
92. iptables -A INPUT -s 0.0.0.0/8        -j DROP
93. iptables -A INPUT -d 0.0.0.0/8        -j DROP
94. iptables -A INPUT -d 239.255.255.0/24 -j DROP
95. iptables -A INPUT -d 255.255.255.255  -j DROP
96.  
97. iptables -A OUTPUT -p ALL -j ACCEPT
98.  
99. #Portscans
100. # Anyone who tried to portscan us is locked out for an entire day.
101. iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
102. iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
103. # Once the day has passed, remove them from the portscan list
104. iptables -A INPUT   -m recent --name portscan --remove
105. iptables -A FORWARD -m recent --name portscan --remove
106. # Add scanners to the portscan list and log the attempt
107. iptables -A INPUT   -p tcp -m tcp --dport 139 \
108.     -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
109. iptables -A INPUT   -p tcp -m tcp --dport 139 \
110.     -m recent --name portscan --set -j DROP
111. iptables -A FORWARD -p tcp -m tcp --dport 139 \
112.     -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
113. iptables -A FORWARD -p tcp -m tcp --dport 139 \
114.     -m recent --name portscan --set -j DROP
115.  
116. /etc/rc.d/iptables save