Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##/etc/network/interfaces
- # External interface
- auto eth0
- allow-hotplug eth0
- iface eth0 inet static
- address
- netmask
- gateway
- # Internal interface
- auto eth1
- allow-hotplug eth1
- iface eth1 inet static
- address 192.168.1.10
- netmask 255.255.255.0
- ##/etc/hosts
- 192.168.1.20 hosting
- 192.168.1.30 mail
- 192.168.1.40 file
- 192.168.1.50 db
- ##/etc/resolv.conf
- nameserver IP
- nameserver IP
- ##/etc/network/if-post-down.d/firewall-save
- #!/bin/sh
- echo
- echo "Saving firewall..."
- echo
- /sbin/iptables-save -c > /etc/firewall.conf
- ##/etc/network/if-pre-up.d/firewall-restore
- #!/bin/sh
- if [ -f /etc/firewall.conf ]; then
- echo
- echo "Restoring firewall..."
- echo
- /sbin/iptables-restore -c < /etc/firewall.conf
- fi
- ##/etc/init.d/iptables-setup
- #!/bin/sh
- echo
- echo "Setting up firewall rules..."
- echo
- # Add conntrack modules if they are not loaded yet
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- # Enable broadcast echo Protection
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- # Disable Source Routed Packets
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
- # Enable TCP SYN Cookie Protection
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- # Disable ICMP Redirect Acceptance
- echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
- # Don¹t send Redirect Messages
- echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
- # Drop Spoofed Packets coming in on an interface where responses
- # would result in the reply going out a different interface.
- echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
- # Set default policy
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- # Flush current firewall
- iptables -F
- iptables -X
- iptables -t nat -F
- iptables -t nat -X
- iptables -t mangle -F
- iptables -t mangle -X
- # Create SSH chain
- iptables -N SSH
- iptables -A SSH -s 83.80.24.69/32 -j ACCEPT
- iptables -A SSH -s 83.80.135.185/32 -j ACCEPT
- iptables -A SSH -s 84.245.4.152/32 -j ACCEPT
- iptables -A SSH -s 87.212.79.160/32 -j ACCEPT
- iptables -A SSH -s 82.94.218.137/32 -j ACCEPT
- iptables -A SSH -s 82.95.51.234/32 -j ACCEPT
- # Drop invalid packets
- iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
- # Allow local connections
- iptables -A INPUT -i lo -j ACCEPT
- # Allow all established connections through
- iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # Allow intranet connections
- iptables -A INPUT -i eth1 -j ACCEPT
- # Allow forwarding on the intranet
- iptables -A FORWARD -i eth1 --ctstate NEW -j ACCEPT
- iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- # Allow http(s)
- iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
- # Allow ftp
- iptables -A INPUT -m helper --helper ftp -j ACCEPT
- # Send ssh to the ssh chain
- iptables -A INPUT -p tcp -m tcp --dport ssh -j SSH
Add Comment
Please, Sign In to add comment