iptables.script

1. #!/bin/bash
2.  
3.  
4. #### Clear ####
5.  
6. iptables -F
7. iptables -X
8.  
9. #++++++++++++++
10.  
11.  
12. #### Policy ####################
13.  
14. iptables -P INPUT DROP
15. iptables -P FORWARD DROP
16. iptables -P OUTPUT DROP
17.  
18. #+++++++++++++++++++++++++++++++
19.  
20.  
21. ##### CUSTOM CHAINS ####################################################################
22.  
23. # Icmp
24. iptables -N ICMP
25. iptables -A ICMP -m limit --limit 15/minute -j LOG --log-prefix "Icmp: "
26. iptables -A ICMP -j DROP
27.  
28. # Bad Flags, Bogus etc.
29. iptables -N BOGUS
30. iptables -A BOGUS -m limit --limit 15/minute -j LOG --log-prefix "Bogus: "
31. iptables -A BOGUS -j DROP
32.  
33. # Lan Spoof
34. iptables -N LANSPOOF
35. iptables -A LANSPOOF -m limit --limit 15/minute -j LOG --log-prefix "LanSpoof: "
36. iptables -A LANSPOOF -j DROP
37.  
38. # Loopback Spoof
39. iptables -N LOOPSPOOF
40. iptables -A LOOPSPOOF -m limit --limit 15/minute -j LOG --log-prefix "LoopSpoof: "
41. iptables -A LOOPSPOOF -j DROP
42.  
43. # Finall Firewall
44. iptables -N FIREWALL
45. iptables -A FIREWALL -m limit --limit 15/minute -j LOG --log-prefix "Firewall: "
46. iptables -A FIREWALL -j DROP
47.  
48. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
49.  
50.  
51. ##### INPUT BLOCK ##############################################################################
52.  
53. # Drop all ICMP
54. iptables -A INPUT -p icmp -j ICMP
55.  
56. # LAN Spoof
57. iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j LANSPOOF
58. iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j LANSPOOF
59.  
60. # Loopback Spoof
61. iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j LOOPSPOOF
62.  
63. # Fragments
64. iptables -A INPUT -f -j BOGUS
65.  
66. # Bogus packets
67. iptables -A INPUT -m conntrack --ctstate INVALID -j BOGUS
68.  
69. iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j BOGUS
70. iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j BOGUS
71. iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j BOGUS
72. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BOGUS
73. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BOGUS
74. iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j BOGUS
75. iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BOGUS
76. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BOGUS
77. iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j BOGUS
78. iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j BOGUS
79. iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BOGUS
80. iptables -A INPUT -m conntrack --ctstate NEW,RELATED -p tcp ! --tcp-flags ALL SYN -j BOGUS
81.  
82.  
83. #----- INPUT ACCEPT ----------------------------------------------------------------------------
84.  
85. # Already established and related
86. iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
87.  
88. # Loopback
89. iptables -A INPUT -i lo -j ACCEPT
90.  
91. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
92.  
93.  
94.  
95. ##### OUTPUT BLOCK #####################################################################
96.  
97. # Drop all ICMP
98. iptables -A OUTPUT -p icmp -j ICMP
99.  
100. # Bogus packets
101. iptables -A OUTPUT -m conntrack --ctstate INVALID -j BOGUS
102.  
103. #---- OUTPUT ACCEPT --------------------------------------------------------------------
104.  
105. # Loopback
106. iptables -A OUTPUT -o lo -j ACCEPT
107.  
108. # Dns
109. iptables -A OUTPUT -p udp --dport 53 -d 208.67.222.222 -j ACCEPT
110. iptables -A OUTPUT -p udp --dport 53 -d 208.67.220.220 -j ACCEPT
111.  
112. # Services
113. iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
114. iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
115. iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
116.  
117. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
118.  
119.  
120.  
121. ##### FORWARD BLOCK ####################################################################
122.  
123. # Bogus Packets
124. iptables -A FORWARD -m conntrack --ctstate INVALID -j BOGUS
125.  
126. #+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
127.  
128.  
129.  
130. ##### FINAL CATCH ALL ##########
131.  
132. iptables -A INPUT -j FIREWALL
133. iptables -A OUTPUT -j FIREWALL
134.  
135. #+++++++++++++++++++++++++