API tools faq
paste
Guest User

Untitled

a guest
Jan 22nd, 2018
96
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.88 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # My very simple iptables firewall
  3. # This is intended to give basic protection to a network
  4.  
  5. # load some needed kernel modules
  6. #modprobe ip_conntrack
  7. #modprobe ip_conntrack_ftp
  8. #modprobe ip_conntrack_irc
  9.  
  10. # temporarily allow everything to make sure we don't drop any connections
  11. # while we change the rules. connections might be dropped anyway the first
  12. # time you run the script after a reboot, since connection states
  13. # won't be aviable.
  14. iptables -P INPUT ACCEPT
  15. iptables -P OUTPUT ACCEPT
  16.  
  17. # remove previous rules
  18. iptables -F
  19.  
  20. # always allow connections to localhost
  21. iptables -A INPUT -i lo -j ACCEPT
  22. iptables -A OUTPUT -o lo -j ACCEPT
  23.  
  24. # Enable transparent proxy
  25. #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
  26.  
  27. # always allow connections to/from the local lan
  28. # iptables -A INPUT -i eth0 -s 192.168.10.1/16 -j ACCEPT
  29. # iptables -A OUTPUT -o eth0 -d 192.168.10.1/16 -j ACCEPT
  30.  
  31. # drop bad connections (port scans, etc) that are marked below
  32. iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j DROP
  33.  
  34. # allow connections that are already established
  35. iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
  36. iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
  37.  
  38. # allow new outgoing tcp, udp and icmp connections
  39. iptables -A OUTPUT -p tcp -o eth1 -m state --state NEW -j ACCEPT
  40. iptables -A OUTPUT -p udp -o eth1 -m state --state NEW -j ACCEPT
  41. iptables -A OUTPUT -p icmp -o eth1 -m state --state NEW -j ACCEPT
  42.  
  43. # allow new incoming tcp connections from the internet to selected ports
  44. # currently ssh, http, irc
  45. iptables -A INPUT -p tcp -i eth1 --dport 22 -m state --state NEW -j ACCEPT
  46. iptables -A INPUT -p tcp -i eth1 --dport 25565 -m state --state NEW -j ACCEPT
  47.  
  48. # reject ident instead of dropping, to speed up connecting to irc
  49. iptables -A INPUT -p tcp -i eth1 --dport 113 -m state --state NEW -j REJECT --reject-with tcp-reset
  50.  
  51. # incoming connections that have reached this points are possibly port scan
  52. # attempts or otherwise bad. mark those ips here so they can be blocked.
  53. iptables -A INPUT -i eth1 -m recent --name scan --set -j DROP
  54.  
  55. # set default policies
  56. # ignore everything
  57. iptables -P INPUT DROP
  58. iptables -P FORWARD DROP
  59. iptables -P OUTPUT DROP
  60.  
  61.  
  62. # Allow established connections, and those not coming from the outside
  63. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  64. iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
  65. iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  66.  
  67. # Allow outgoing connections from the LAN side.
  68. # iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
  69.  
  70. # Masquerade.
  71. # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
  72.  
  73. # Don't forward from the outside to the inside.
  74. iptables -A FORWARD -i eth1 -o eth1 -j REJECT
  75.  
  76. # Enable routing.
  77. # echo 1 > /proc/sys/net/ipv4/ip_forward
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!