Hello all, hope you'll find it usefull too, i did http://www.kabelverhau.ch/elwms/en_iptables.php rgrds, F. Anybody's got a better version ? ;) ============================================ #! /bin/bash IF_INET="eth0" IF_LAN="eth1" IF_LAN_NET="192.168.0.0/24" IF_WLAN="wlan0" # (SMB) (NFS) (X11) BAD_TCP="135:139 1433 2049 5999:6063" BAD_UDP="135:139 1433 2049 5999:6063" case "$1" in start) echo "Cleaning up..." echo 0 > /proc/sys/net/ipv4/ip_forward iptables -F iptables -t nat -F iptables -t mangle -F echo -n "Determinating IP-Address of Internet Interface... " IF_INET_IP="`ifconfig $IF_INET | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" echo $IF_INET_IP echo "Creating IPTABLES rules:" echo " Masquerading..." iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE echo " Protecting well-known ports..." for i in $BAD_TCP; do iptables -A INPUT -p tcp --dport $i -j DROP iptables -A INPUT -p tcp --sport $i -j DROP iptables -A OUTPUT -p tcp --dport $i -j DROP iptables -A OUTPUT -p tcp --sport $i -j DROP iptables -A FORWARD -p tcp --dport $i -j DROP iptables -A FORWARD -p tcp --sport $i -j DROP done for i in $BAD_UDP; do iptables -A INPUT -p udp --dport $i -j DROP iptables -A INPUT -p udp --sport $i -j DROP iptables -A OUTPUT -p udp --dport $i -j DROP iptables -A OUTPUT -p udp --sport $i -j DROP iptables -A FORWARD -p udp --dport $i -j DROP iptables -A FORWARD -p udp --sport $i -j DROP done echo " Rules for ICMP..." # 0: echo reply # 3: destination unreachable # 4: source quench # 5: redirect # 8: echo request # 9: router advertisement # 10: router solicitation # 11: time exceeded # 12: parameter-problem # 13: timestamp request # 14: timestamp reply # 15: information request # 16: information reply # 17: address mask request # 18: address mask reply iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 14 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 16 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 18 -j ACCEPT iptables -A INPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-IN:" iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 13 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 15 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 17 -j ACCEPT iptables -A OUTPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-OUT:" iptables -A OUTPUT -p icmp -j DROP iptables -A FORWARD -p icmp -j ACCEPT echo " Stateful inspection..." iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT echo " Rules for Loopback Interface..." iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT echo " Rules for local LAN..." iptables -A INPUT -i $IF_LAN -j ACCEPT iptables -A FORWARD -i $IF_LAN -j ACCEPT echo " Rules for local WLAN..." iptables -A INPUT -p tcp --dport 53 -i $IF_WLAN -j ACCEPT iptables -A INPUT -p udp --dport 53 -i $IF_WLAN -j ACCEPT iptables -A INPUT -p tcp --dport 67 -i $IF_WLAN -j ACCEPT iptables -A INPUT -p udp --dport 67 -i $IF_WLAN -j ACCEPT iptables -A FORWARD -p tcp --dport 22 -i $IF_WLAN -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -i $IF_WLAN -j ACCEPT iptables -A FORWARD -d ! $IF_LAN_NET -i $IF_WLAN -j ACCEPT echo " Local public services (all interfaces):" echo " SSH..." iptables -A INPUT -p tcp --dport 22 -j ACCEPT #echo " Forwarding:" #echo " SSH..." #iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 22 -j ACCEPT #iptables -t nat -A PREROUTING -i $IF_INET -p tcp -d $IF_INET_IP --dport 2222 -j DNAT --to 192.168.0.100:22 echo " Logging & Dropping..." iptables -A INPUT -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-IN:" iptables -A INPUT -p tcp -j DROP iptables -A INPUT -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-IN:" iptables -A INPUT -p udp -j DROP iptables -A INPUT -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-IN:" iptables -A INPUT -j DROP iptables -A FORWARD -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-FWD:" iptables -A FORWARD -p tcp -j DROP iptables -A FORWARD -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-FWD:" iptables -A FORWARD -p udp -j DROP iptables -A FORWARD -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-FWD:" iptables -A FORWARD -j DROP echo "Setting up spoofing protection..." for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done # disable source routed packets echo "Disabling source routed packets..." for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done echo "Setting default policy..." iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP echo "Starting up routing..." echo 1 > /proc/sys/net/ipv4/ip_forward ;; stop) echo "Shutting down routing..." echo 0 > /proc/sys/net/ipv4/ip_forward iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -t mangle -F ;; *) echo "Usage: ./filter {start|stop}" exit 1 ;; esac exit 0
participants (1)
-
Flavius Porumb