Aug 01

iptables firewall script

Firewall scripts Add comments


#!/bin/bash
###############################################
#
# Copyright (c) webHauser
# iptables packet filtering firewall script
# RedHat Linux 9
# Kernel 2.4.20-8

NET=eth0
LAN=eth1
IPTABLES=/sbin/iptables

#
# ipkernel security settings
# /etc/sysctl.conf
#
# This setting is default
# echo 1 > /proc/sys/net/ipv4/ip_forward
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all tables and chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X

# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy FORWARD DROP
$IPTABLES --policy OUTPUT DROP
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow unlimited outbound traffic
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state --state NEW -j ACCEPT

# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT

# Allow incoming 80 (http) connections from LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
# Allow incoming 8080 (tomcat) connections from LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 8080 -m state --state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets to /var/log/messages
####$IPTABLES -N LOGDROP
####$IPTABLES -A LOGDROP -j LOG
####$IPTABLES -A LOGDROP -j DROP
####$IPTABLES -A INPUT -j LOGDROP

# Drop all other traffic
$IPTABLES -A INPUT -j DROP

/sbin/iptables-save > /root/setup/firewall/iptables-new

Leave a Reply

You must be logged in to post a comment.

WebSite Powered by webHauser
Entries RSS Comments RSS Login