[CS-FSLUG] Firewall fights
Ed Hurst
ehurst at asisaid.com
Tue Jan 24 21:19:26 CST 2006
Stephen J. McCracken wrote:
> I, too, would be willing to look at the rules to see if I could help. I
> have done some work with manually creating firewalls with iptables, but
> wouldn't say I'm an expert. Anyway, I could look and try to help.
I currently have logging turned off, since it was generating huge logs.
Beware of linewrapping.
--------------- firewall ---------------
#!/bin/sh
#
# generated by ./quicktables-2.3 on 2006.01.24.16
#
# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 >
/proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 >
/proc/sys/net/ipv4/conf/all/rp_filter; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i lan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocked hosts
echo " dropping all packets from blocked hosts"
echo ""
$iptables -I INPUT -s no -j DROP
# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s
-i lan0 -j ACCEPT
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i lan0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i lan0 -p udp --dport 0:65535 -j DROP
echo "### quicktables is loaded ###"
echo ""
--------------- end ---------------
--
Ed Hurst
----------
Bible Application - http://ed.asisaid.com/bible/index.html
Plain & Simple Computer Help - http://ed.asisaid.com/
Mission, Method & Means - http://ed.asisaid.com/blog/
More information about the Christiansource
mailing list