Lemuria.org



IP Tables Setup Script

Note that this one is really ancient and I haven't used it in maybe a decade. Probably you do not want to use it, except as reference for some ideas.

#! /bin/sh
#
# firewall	setting up IPTables firewalling
#
# tom-at-lemuria-dot-org
# if you find any bugs, you may keep them :)
#

IPTABLES="/sbin/iptables"

set -e

case "$1" in
start)
	echo "Starting firewall: "
	modprobe ip_conntrack
   echo -n "setting default policy: "
   # syncookies and NO ip-forwarding
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	echo 0 > /proc/sys/net/ipv4/ip_forward
	$IPTABLES -F
	$IPTABLES -X
	$IPTABLES -Z
	$IPTABLES -P INPUT DROP
	$IPTABLES -P FORWARD DROP
	$IPTABLES -P OUTPUT DROP
 	$IPTABLES -N in_icmp
	$IPTABLES -N in_tcp
   $IPTABLES -N in_udp
   $IPTABLES -A INPUT -p tcp -j in_tcp
   $IPTABLES -A INPUT -p udp -j in_udp
   $IPTABLES -A INPUT -p icmp -j in_icmp
	echo "done"
	echo -n "spoofing, redirect and broadcast protection/logging: "
	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  	echo "done"
	echo -n "enabling scan detection: "
   if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then
		$IPTABLES -A INPUT -m psd -m limit --limit 5/minute -j LOG --log-prefix '#### Port Scan ####'
      echo "psd enabled"
   else
		$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-prefix '#### Ping Scan ####'
      # high rate for stealth scans, since they could be legitimate connection
      # attempts as well
		$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix '#### Stealth Scan ####'
		$IPTABLES -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### XMAS Scan ####'
		$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/RST Scan ####'
		$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix '#### SYN/FIN Scan ####'
      echo "limited detection enabled (no ipt_psd module)"
   fi
   echo -n "flood, fragment and various other protections: "
	# we allow 4 TCP connects per second, no more
	$IPTABLES -N syn-flood
	$IPTABLES -A INPUT -p tcp --syn -j syn-flood
	$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
	$IPTABLES -A syn-flood -j DROP
	# new connections that have no syn set are most probably evil
   $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
	# invalid packets 
	$IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/m -j LOG --log-level info --log-prefix "### Invalid Packet ###"
   $IPTABLES -A INPUT -p tcp --tcp-option 64 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(64) ###" 
   $IPTABLES -A INPUT -p tcp --tcp-option 128 -m limit --limit 5/m -j LOG --log-level info --log-prefix "### Bad TCP FLAG(128) ###" 
	echo "done"
	echo -n "setting up ICMP: "
   # we allow echo requests and replies
   # could limit replies to could limit replies to related, but since we 
   # answer ping requests, where would be the point in that?
	$IPTABLES -A in_icmp -p icmp --icmp-type  0 -j ACCEPT
	$IPTABLES -A in_icmp -p icmp --icmp-type  8 -j ACCEPT
   # we need destination unreachable 
	$IPTABLES -A in_icmp -p icmp --icmp-type  3 -j ACCEPT
   # we are nice and allow traceroute, though it is not required
	$IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
	$IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
   echo "done"
   echo -n "enabling local and outgoing traffic: "
	$IPTABLES -A INPUT  -i lo -j ACCEPT
	$IPTABLES -I in_tcp -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A OUTPUT -j ACCEPT
   # we are nice and reject instead of drop ident traffic
   $IPTABLES -I in_tcp -p tcp --dport auth --j REJECT
   echo "done"
	echo -n "enabling selected services:"
   $IPTABLES -I in_tcp -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT
   echo -n " http"
	$IPTABLES -I in_tcp -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
   echo -n " ssh"
	$IPTABLES -I in_tcp -p tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
   echo -n " smtp"
	$IPTABLES -I in_tcp -p tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT
   echo -n " imaps"
	$IPTABLES -I in_tcp -p tcp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -I in_udp -p udp --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT
   echo -n " dns"
	$IPTABLES -I in_tcp -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
	# active ftp
	$IPTABLES -I in_tcp -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
   echo -n " ftp"
   # quake3
   $IPTABLES -I in_udp -p udp --dport 1024:65535 -j ACCEPT
   echo -n " quake (all UDP >1024)"
   echo " - all done"
	echo "Firewall setup complete."
	;;
stop)
	echo -n "Shutting down firewall: "
	$IPTABLES -F
   $IPTABLES -X
	$IPTABLES -P INPUT ACCEPT
	$IPTABLES -P FORWARD ACCEPT
	$IPTABLES -P OUTPUT ACCEPT
	echo "done"
	;;
*)
	N=/etc/init.d/$NAME
	echo "Usage: $N {start|stop}" >&2
	exit 1
	;;
esac

exit 0


Back to the front page