Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- # Gotta allow loop back
- iptables -A INPUT -i lo -j ACCEPT
- # Allow related or established connections
- iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- # Allow desited ports
- iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- # Deny SYN,ACK bullshit
- iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
- iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
- iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
- iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
- # Deny Reserved Address ranges that may be spoofed
- iptables -A INPUT -s 0.0.0.0/8 -i venet0:0 -j DROP
- iptables -A INPUT -s 127.0.0.0/8 -i venet0:0 -j DROP
- iptables -A INPUT -s 10.0.0.0/8 -i venet0:0 -j DROP
- iptables -A INPUT -s 172.16.0.0/12 -i venet0:0 -j DROP
- iptables -A INPUT -s 192.168.0.0/16 -i venet0:0 -j DROP
- iptables -A INPUT -s 224.0.0.0/3 -i venet0:0 -j DROP
- # Drop all udp traffic
- iptables -A INPUT -p udp -j DROP
- # Doesnt match any rules above, drop by default
- iptables -A INPUT -f -j DROP
- # Deny pings
- iptables -A OUTPUT -p icmp -m icmp --icmp-type any -j DROP
Add Comment
Please, Sign In to add comment