API tools faq
paste
osteth

SIG-antiDDoS.sh

osteth
Apr 6th, 2016
177
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 16.97 KB | None | 0 0
raw download clone embed print report diff
  1. #!/bin/sh
  2. #------------------------------------------------------------------------------
  3. #
  4. # File: SIG-antiDDoS.sh
  5. #
  6. # Compiler: Ruslan Abuzant <ruslan@abuzant.com>
  7. #           PS> Collected From Lots Of Sources
  8. #           PS> Credits: Real Authors (no idea)
  9. #
  10. # URL: http://www.liteforex.org/
  11. #
  12. # License: GNU GPL (version 2, or any later version).
  13. #
  14. # Configuration.
  15. #------------------------------------------------------------------------------
  16.  
  17. # For debugging use iptables -v.
  18. IPTABLES="/sbin/iptables"
  19. IP6TABLES="/sbin/ip6tables"
  20. MODPROBE="/sbin/modprobe"
  21. RMMOD="/sbin/rmmod"
  22. ARP="/usr/sbin/arp"
  23.  
  24.  
  25. # Logging options.
  26. #------------------------------------------------------------------------------
  27. LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
  28. LOG="$LOG --log-ip-options"
  29.  
  30.  
  31. # Defaults for rate limiting
  32. #------------------------------------------------------------------------------
  33. RLIMIT="-m limit --limit 3/s --limit-burst 8"
  34.  
  35.  
  36. # Unprivileged ports.
  37. #------------------------------------------------------------------------------
  38. PHIGH="1024:65535"
  39. PSSH="1000:1023"
  40.  
  41.  
  42. # Load required kernel modules
  43. #------------------------------------------------------------------------------
  44. $MODPROBE ip_conntrack_ftp
  45. $MODPROBE ip_conntrack_irc
  46.  
  47.  
  48. # Mitigate ARP spoofing/poisoning and similar attacks.
  49. #------------------------------------------------------------------------------
  50. # Hardcode static ARP cache entries here
  51. # $ARP -s IP-ADDRESS MAC-ADDRESS
  52.  
  53.  
  54. # Kernel configuration.
  55. #------------------------------------------------------------------------------
  56.  
  57. # Disable IP forwarding.
  58. # On => Off = (reset)
  59. echo 1 > /proc/sys/net/ipv4/ip_forward
  60. echo 0 > /proc/sys/net/ipv4/ip_forward
  61.  
  62. # Enable IP spoofing protection
  63. for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
  64.  
  65. # Protect against SYN flood attacks
  66. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  67.  
  68. # Ignore all incoming ICMP echo requests
  69. echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  70.  
  71. # Ignore ICMP echo requests to broadcast
  72. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  73.  
  74. # Log packets with impossible addresses.
  75. for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
  76.  
  77. # Don't log invalid responses to broadcast
  78. echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  79.  
  80. # Don't accept or send ICMP redirects.
  81. for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
  82. for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
  83.  
  84. # Don't accept source routed packets.
  85. for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
  86.  
  87. # Disable multicast routing
  88. for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
  89.  
  90. # Disable proxy_arp.
  91. for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
  92.  
  93. # Enable secure redirects, i.e. only accept ICMP redirects for gateways
  94. # Helps against MITM attacks.
  95. for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
  96.  
  97. # Disable bootp_relay
  98. for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
  99.  
  100. # Default policies.
  101. #------------------------------------------------------------------------------
  102.  
  103. # Drop everything by default.
  104. $IPTABLES -P INPUT DROP
  105. $IPTABLES -P FORWARD DROP
  106. $IPTABLES -P OUTPUT DROP
  107.  
  108. # Set the nat/mangle/raw tables' chains to ACCEPT
  109. $IPTABLES -t nat -P PREROUTING ACCEPT
  110. $IPTABLES -t nat -P OUTPUT ACCEPT
  111. $IPTABLES -t nat -P POSTROUTING ACCEPT
  112.  
  113. $IPTABLES -t mangle -P PREROUTING ACCEPT
  114. $IPTABLES -t mangle -P INPUT ACCEPT
  115. $IPTABLES -t mangle -P FORWARD ACCEPT
  116. $IPTABLES -t mangle -P OUTPUT ACCEPT
  117. $IPTABLES -t mangle -P POSTROUTING ACCEPT
  118.  
  119. # Cleanup.
  120. #------------------------------------------------------------------------------
  121.  
  122. # Delete all
  123. $IPTABLES -F
  124. $IPTABLES -t nat -F
  125. $IPTABLES -t mangle -F
  126.  
  127. # Delete all
  128. $IPTABLES -X
  129. $IPTABLES -t nat -X
  130. $IPTABLES -t mangle -X
  131.  
  132. # Zero all packets and counters.
  133. $IPTABLES -Z
  134. $IPTABLES -t nat -Z
  135. $IPTABLES -t mangle -Z
  136.  
  137. # Completely disable IPv6.
  138. #------------------------------------------------------------------------------
  139.  
  140. # Block all IPv6 traffic
  141. # If the ip6tables command is available, try to block all IPv6 traffic.
  142. if test -x $IP6TABLES; then
  143. # Set the default policies
  144. # drop everything
  145. $IP6TABLES -P INPUT DROP 2>/dev/null
  146. $IP6TABLES -P FORWARD DROP 2>/dev/null
  147. $IP6TABLES -P OUTPUT DROP 2>/dev/null
  148.  
  149. # The mangle table can pass everything
  150. $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
  151. $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
  152. $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
  153. $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
  154. $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
  155.  
  156. # Delete all rules.
  157. $IP6TABLES -F 2>/dev/null
  158. $IP6TABLES -t mangle -F 2>/dev/null
  159.  
  160. # Delete all chains.
  161. $IP6TABLES -X 2>/dev/null
  162. $IP6TABLES -t mangle -X 2>/dev/null
  163.  
  164. # Zero all packets and counters.
  165. $IP6TABLES -Z 2>/dev/null
  166. $IP6TABLES -t mangle -Z 2>/dev/null
  167. fi
  168.  
  169. # Custom user-defined chains.
  170. #------------------------------------------------------------------------------
  171.  
  172. # LOG packets, then ACCEPT.
  173. $IPTABLES -N ACCEPTLOG
  174. $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
  175. $IPTABLES -A ACCEPTLOG -j ACCEPT
  176.  
  177. # LOG packets, then DROP.
  178. $IPTABLES -N DROPLOG
  179. $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
  180. $IPTABLES -A DROPLOG -j DROP
  181.  
  182. # LOG packets, then REJECT.
  183. # TCP packets are rejected with a TCP reset.
  184. $IPTABLES -N REJECTLOG
  185. $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
  186. $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
  187. $IPTABLES -A REJECTLOG -j REJECT
  188.  
  189. # Only allows RELATED ICMP types
  190. # (destination-unreachable, time-exceeded, and parameter-problem).
  191. # TODO: Rate-limit this traffic?
  192. # TODO: Allow fragmentation-needed?
  193. # TODO: Test.
  194. $IPTABLES -N RELATED_ICMP
  195. $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
  196. $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
  197. $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
  198. $IPTABLES -A RELATED_ICMP -j DROPLOG
  199.  
  200. # Make It Even Harder To Multi-PING
  201. $IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
  202. $IPTABLES  -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP:
  203. $IPTABLES  -A INPUT -p icmp -j DROP
  204. $IPTABLES  -A OUTPUT -p icmp -j ACCEPT
  205.  
  206. # Only allow the minimally required/recommended parts of ICMP. Block the rest.
  207. #------------------------------------------------------------------------------
  208.  
  209. # TODO: This section needs a lot of testing!
  210.  
  211. # First, drop all fragmented ICMP packets (almost always malicious).
  212. $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
  213. $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
  214. $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
  215.  
  216. # Allow all ESTABLISHED ICMP traffic.
  217. $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
  218. $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
  219.  
  220. # Allow some parts of the RELATED ICMP traffic, block the rest.
  221. $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
  222. $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
  223.  
  224. # Allow incoming ICMP echo requests (ping), but only rate-limited.
  225. $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
  226.  
  227. # Allow outgoing ICMP echo requests (ping), but only rate-limited.
  228. $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
  229.  
  230. # Drop any other ICMP traffic.
  231. $IPTABLES -A INPUT -p icmp -j DROPLOG
  232. $IPTABLES -A OUTPUT -p icmp -j DROPLOG
  233. $IPTABLES -A FORWARD -p icmp -j DROPLOG
  234.  
  235. # Selectively allow certain special types of traffic.
  236. #------------------------------------------------------------------------------
  237.  
  238. # Allow loopback interface to do anything.
  239. $IPTABLES -A INPUT -i lo -j ACCEPT
  240. $IPTABLES -A OUTPUT -o lo -j ACCEPT
  241.  
  242. # Allow incoming connections related to existing allowed connections.
  243. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  244.  
  245. # Allow outgoing connections EXCEPT invalid
  246. $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  247.  
  248. # Miscellaneous.
  249. #------------------------------------------------------------------------------
  250.  
  251. # We don't care about Milkosoft, Drop SMB/CIFS/etc..
  252. $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
  253. $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP
  254.  
  255. # Explicitly drop invalid incoming traffic
  256. $IPTABLES -A INPUT -m state --state INVALID -j DROP
  257.  
  258. # Drop invalid outgoing traffic, too.
  259. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  260.  
  261. # If we would use NAT, INVALID packets would pass - BLOCK them anyways
  262. $IPTABLES -A FORWARD -m state --state INVALID -j DROP
  263.  
  264. # PORT Scanners (stealth also)
  265. $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
  266. $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
  267.  
  268. # TODO: Some more anti-spoofing rules? For example:
  269. # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  270. # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  271. # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  272. $IPTABLES -N SYN_FLOOD
  273. $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
  274. $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN
  275. $IPTABLES -A SYN_FLOOD -j DROP
  276.  
  277. # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
  278. # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
  279.  
  280. # Drop any traffic from IANA-reserved IPs.
  281. #------------------------------------------------------------------------------
  282.  
  283. $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
  284. $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
  285. $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
  286. $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
  287. $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
  288. $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
  289. $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
  290. $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
  291. $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
  292. $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
  293. $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
  294. $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
  295. $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
  296. $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
  297. $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
  298. $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
  299. $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
  300. $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
  301. $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
  302. $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
  303. $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
  304. $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
  305. $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
  306. $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
  307. $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
  308. $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
  309. $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
  310. $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
  311. $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
  312. $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP
  313.  
  314. # Selectively allow certain outbound connections, block the rest.
  315. #------------------------------------------------------------------------------
  316.  
  317. # Allow outgoing DNS requests. Few things will work without this.
  318. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
  319. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  320.  
  321. # Allow outgoing HTTP requests. Unencrypted, use with care.
  322. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
  323.  
  324. # Allow outgoing HTTPS requests.
  325. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
  326.  
  327. # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
  328. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
  329.  
  330. # Allow outgoing "submission" (RFC 2476) requests.
  331. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
  332.  
  333. # Allow outgoing POP3S requests.
  334. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
  335.  
  336. # Allow outgoing SSH requests.
  337. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
  338.  
  339. # Allow outgoing FTP requests. Unencrypted, use with care.
  340. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
  341.  
  342. # Allow outgoing NNTP requests. Unencrypted, use with care.
  343. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
  344.  
  345. # Allow outgoing NTP requests. Unencrypted, use with care.
  346. # $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
  347.  
  348. # Allow outgoing IRC requests. Unencrypted, use with care.
  349. # Note: This usually needs the ip_conntrack_irc kernel module.
  350. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
  351.  
  352. # Allow outgoing requests to various proxies. Unencrypted, use with care.
  353. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
  354. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT
  355.  
  356. # Allow outgoing DHCP requests. Unencrypted, use with care.
  357. # TODO: This is completely untested, I have no idea whether it works!
  358. # TODO: I think this can be tightened a bit more.
  359. $IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT
  360.  
  361. # Allow outgoing CVS requests. Unencrypted, use with care.
  362. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
  363.  
  364. # Allow outgoing MySQL requests. Unencrypted, use with care.
  365. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
  366.  
  367. # Allow outgoing SVN requests. Unencrypted, use with care.
  368. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
  369.  
  370. # Allow outgoing PLESK requests. Unencrypted, use with care.
  371. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT
  372.  
  373. # Allow outgoing Tor (http://tor.eff.org) requests.
  374. # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
  375. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
  376. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
  377. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
  378. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
  379. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
  380. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT
  381.  
  382. # Allow outgoing OpenVPN requests.
  383. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
  384.  
  385. # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc...
  386.  
  387. # Selectively allow certain inbound connections, block the rest.
  388. #------------------------------------------------------------------------------
  389.  
  390. # Allow incoming DNS requests.
  391. $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
  392. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  393.  
  394. # Allow incoming HTTP requests.
  395. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
  396.  
  397. # Allow incoming HTTPS requests.
  398. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
  399.  
  400. # Allow incoming POP3 requests.
  401. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
  402.  
  403. # Allow incoming IMAP4 requests.
  404. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
  405.  
  406. # Allow incoming POP3S requests.
  407. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
  408.  
  409. # Allow incoming SMTP requests.
  410. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
  411.  
  412. # Allow incoming SSH requests.
  413. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
  414.  
  415. # Allow incoming FTP requests.
  416. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
  417.  
  418. # Allow incoming NNTP requests.
  419. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
  420.  
  421. # Allow incoming MySQL requests.
  422. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT
  423.  
  424. # Allow incoming PLESK requests.
  425. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT
  426.  
  427. # Allow incoming BitTorrent requests.
  428. # TODO: Are these already handled by ACCEPTing established/related traffic?
  429. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
  430. # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT
  431.  
  432. # Allow incoming nc requests.
  433. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
  434. # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT
  435.  
  436. # Explicitly log and reject everything else.
  437. #------------------------------------------------------------------------------
  438. # Use REJECT instead of REJECTLOG if you don't need/want logging.
  439. $IPTABLES -A INPUT -j REJECTLOG
  440. $IPTABLES -A OUTPUT -j REJECTLOG
  441. $IPTABLES -A FORWARD -j REJECTLOG
  442.  
  443.  
  444. #------------------------------------------------------------------------------
  445. # Testing the firewall.
  446. #------------------------------------------------------------------------------
  447.  
  448. # You should check/test that the firewall really works, using
  449. # iptables -vnL, nmap, ping, telnet, ...
  450.  
  451. # Exit gracefully.
  452. #------------------------------------------------------------------------------
  453. ## write to boot if needed?
  454. ### iptables-save > /etc/sysconfig/iptables ??
  455.     exit 0
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!