SHARE
TWEET

Untitled

a guest Apr 17th, 2008 409 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. # No spoofing
  4. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
  5. then
  6. for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
  7. do
  8. echo 1 > $filtre
  9. done
  10. fi
  11.  
  12. # No icmp
  13. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  14. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  15.  
  16. #load some modules you may need
  17. modprobe ip_tables
  18. modprobe ip_nat_ftp
  19. modprobe ip_nat_irc
  20. modprobe iptable_filter
  21. modprobe iptable_nat
  22.  
  23. # Remove all rules and chains
  24. iptables -F
  25. iptables -X
  26.  
  27. # first set the default behaviour => accept connections
  28. iptables -P INPUT ACCEPT
  29. iptables -P OUTPUT ACCEPT
  30. iptables -P FORWARD ACCEPT
  31.  
  32. # Create 2 chains, it allows to write a clean script
  33. iptables -N FIREWALL
  34. iptables -N TRUSTED
  35.  
  36. # Allow ESTABLISHED and RELATED incoming connection
  37. iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  38. # Allow loopback traffic
  39. iptables -A FIREWALL -i lo -j ACCEPT
  40. # Send all package to the TRUSTED chain
  41. iptables -A FIREWALL -j TRUSTED
  42. # DROP all other packets
  43. iptables -A FIREWALL -j DROP
  44.  
  45. # Rate limit SSH attempts.
  46. iptables -A INPUT -p tcp -m tcp --dport ssh -m state --state NEW -m recent --hitcount 3 --seconds 180 --update -j DROP
  47.  
  48. # Allow first attempts through
  49. iptables -A INPUT -p tcp -m tcp --dport ssh -m state --state NEW -m recent --set -j TRUSTED
  50.  
  51. # Send all INPUT packets to the FIREWALL chain
  52. iptables -A INPUT -j FIREWALL
  53. # DROP all forward packets, we don't share the internet connection
  54. iptables -A FORWARD -j DROP
  55.  
  56. # Now process what to allow through from the TRUSTED chain:
  57.  
  58. # Allow domain
  59. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 67 -j ACCEPT  
  60. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 68 -j ACCEPT  
  61. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 67 -j ACCEPT
  62. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 68 -j ACCEPT
  63.  
  64. # Allow domain
  65. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 53 -j ACCEPT  
  66. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
  67.  
  68. # Allow ssh
  69. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT  
  70. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
  71.  
  72. # Allow http
  73. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 80 -j ACCEPT  
  74. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
  75.  
  76. # Allow https    
  77. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 443 -j ACCEPT  
  78. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
  79.  
  80. # Allow Tomcat/Fedora
  81. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8080 -j ACCEPT        
  82. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
  83.  
  84. # etc - add in the additional ports you need to open below (NFS, SMB, 5000 for pylons, etc)
  85.  
  86. # Additional necessary routes pointed out by the Rubric team
  87. # via http://techteam.wordpress.com/2008/04/17/javanet-connection-exception-connection-refused/
  88. # Allow unlimited traffic on loopback
  89. iptables -A INPUT -i lo -j ACCEPT
  90. iptables -A OUTPUT -o lo -j ACCEPT
  91.  
  92. # End message
  93. echo " [End iptables rules setting]"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top