#!/bin/bash# No spoofingif [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]t

1. #!/bin/bash
2.  
3. # No spoofing
4. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
5. then
6. for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
7. do
8. echo 1 > $filtre
9. done
10. fi
11.  
12. # No icmp
13. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
14. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
15.  
16. #load some modules you may need
17. modprobe ip_tables
18. modprobe ip_nat_ftp
19. modprobe ip_nat_irc
20. modprobe iptable_filter
21. modprobe iptable_nat
22.  
23. # Remove all rules and chains
24. iptables -F
25. iptables -X
26.  
27. # first set the default behaviour => accept connections
28. iptables -P INPUT ACCEPT
29. iptables -P OUTPUT ACCEPT
30. iptables -P FORWARD ACCEPT
31.  
32. # Create 2 chains, it allows to write a clean script
33. iptables -N FIREWALL
34. iptables -N TRUSTED
35.  
36. # Allow ESTABLISHED and RELATED incoming connection
37. iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
38. # Allow loopback traffic
39. iptables -A FIREWALL -i lo -j ACCEPT
40. # Send all package to the TRUSTED chain
41. iptables -A FIREWALL -j TRUSTED
42. # DROP all other packets
43. iptables -A FIREWALL -j DROP
44.  
45. # Rate limit SSH attempts.
46. iptables -A INPUT -p tcp -m tcp --dport ssh -m state --state NEW -m recent --hitcount 3 --seconds 180 --update -j DROP
47.  
48. # Allow first attempts through
49. iptables -A INPUT -p tcp -m tcp --dport ssh -m state --state NEW -m recent --set -j TRUSTED
50.  
51. # Send all INPUT packets to the FIREWALL chain
52. iptables -A INPUT -j FIREWALL
53. # DROP all forward packets, we don't share the internet connection
54. iptables -A FORWARD -j DROP
55.  
56. # Now process what to allow through from the TRUSTED chain:
57.  
58. # Allow domain
59. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 67 -j ACCEPT  
60. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 68 -j ACCEPT  
61. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 67 -j ACCEPT
62. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 68 -j ACCEPT
63.  
64. # Allow domain
65. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 53 -j ACCEPT  
66. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
67.  
68. # Allow ssh
69. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT  
70. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
71.  
72. # Allow http
73. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 80 -j ACCEPT  
74. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
75.  
76. # Allow https    
77. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 443 -j ACCEPT  
78. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
79.  
80. # Allow Tomcat/Fedora
81. iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8080 -j ACCEPT        
82. iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
83.  
84. # etc - add in the additional ports you need to open below (NFS, SMB, 5000 for pylons, etc)
85.  
86. # Additional necessary routes pointed out by the Rubric team
87. # via http://techteam.wordpress.com/2008/04/17/javanet-connection-exception-connection-refused/
88. # Allow unlimited traffic on loopback
89. iptables -A INPUT -i lo -j ACCEPT
90. iptables -A OUTPUT -o lo -j ACCEPT
91.  
92. # End message
93. echo " [End iptables rules setting]"