Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # No spoofing
- if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
- then
- for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
- do
- echo 1 > $filtre
- done
- fi
- # No icmp
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- #load some modules you may need
- modprobe ip_tables
- modprobe ip_nat_ftp
- modprobe ip_nat_irc
- modprobe iptable_filter
- modprobe iptable_nat
- # Remove all rules and chains
- iptables -F
- iptables -X
- # first set the default behaviour => accept connections
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- # Create 2 chains, it allows to write a clean script
- iptables -N FIREWALL
- iptables -N TRUSTED
- # Allow ESTABLISHED and RELATED incoming connection
- iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allow loopback traffic
- iptables -A FIREWALL -i lo -j ACCEPT
- # Send all package to the TRUSTED chain
- iptables -A FIREWALL -j TRUSTED
- # DROP all other packets
- iptables -A FIREWALL -j DROP
- # Rate limit SSH attempts.
- iptables -A INPUT -p tcp -m tcp --dport ssh -m state --state NEW -m recent --hitcount 3 --seconds 180 --update -j DROP
- # Allow first attempts through
- iptables -A INPUT -p tcp -m tcp --dport ssh -m state --state NEW -m recent --set -j TRUSTED
- # Send all INPUT packets to the FIREWALL chain
- iptables -A INPUT -j FIREWALL
- # DROP all forward packets, we don't share the internet connection
- iptables -A FORWARD -j DROP
- # Now process what to allow through from the TRUSTED chain:
- # Allow domain
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 67 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 68 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 67 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 68 -j ACCEPT
- # Allow domain
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 53 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
- # Allow ssh
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
- # Allow http
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 80 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
- # Allow https
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 443 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
- # Allow Tomcat/Fedora
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8080 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
- # etc - add in the additional ports you need to open below (NFS, SMB, 5000 for pylons, etc)
- # Additional necessary routes pointed out by the Rubric team
- # via http://techteam.wordpress.com/2008/04/17/javanet-connection-exception-connection-refused/
- # Allow unlimited traffic on loopback
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # End message
- echo " [End iptables rules setting]"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement