Advertising
- Someone
- Monday, January 21st, 2008 at 12:09:37am UTC
- #!/bin/bash
- # No spoofing
- if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
- then
- for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
- do
- echo 1 > $filtre
- done
- fi
- # No icmp
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- echo 1 > /proc/sys/net/ipv4/ip_forward
- #load some modules you may need
- modprobe ip_tables
- modprobe ip_nat_ftp
- modprobe ip_nat_irc
- modprobe iptable_filter
- modprobe iptable_nat
- modprobe ip_conntrack_irc
- modprobe ip_conntrack_ftp
- # Remove all rules and chains
- iptables -F
- iptables -X
- # first set the default behaviour => accept connections
- iptables -P INPUT ACCEPT
- iptables -P OUTPUT ACCEPT
- iptables -P FORWARD ACCEPT
- # Create 2 chains, it allows to write a clean script
- iptables -N FIREWALL
- iptables -N TRUSTED
- # Allow ESTABLISHED and RELATED incoming connection
- iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allow loopback traffic
- iptables -A FIREWALL -i lo -j ACCEPT
- # Send all package to the TRUSTED chain
- iptables -A FIREWALL -j TRUSTED
- # DROP all other packets
- iptables -A FIREWALL -j DROP
- # Send all INPUT packets to the FIREWALL chain
- iptables -A INPUT -j FIREWALL
- #openvpn
- iptables -A FORWARD -i tun+ -j ACCEPT
- iptables -A FORWARD -i TAP+ -j ACCEPT
- iptables -A FORWARD -i TAP+ -j FOWARD
- iptables -A FORWARD -i tun+ -j FOWARD
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
- iptables -A INPUT -i tun+ -j ACCEPT
- # Allow https
- iptables -A TRUSTED -i eth0 -p udp -m udp --dport 443 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
- iptables -A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
- iptables -A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
- iptables -A INPUT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
- iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allow IRC IDENT & DCC
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6667 -j ACCEPT
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 113 -j ACCEPT
- # Allow bittorrent
- iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
- # End message
- echo " [End iptables rules setting]"
advertising
Update the Post
Either update this post and resubmit it with changes, or make a new post.
You may also comment on this post.
Please note that information posted here will not expire by default. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.