#!/bin/sh # # Set an absolute path to IPTABLES and define the interfaces # OUTSIDE is the outside or untrusted interface that connects to the Internet. IPTABLES="/sbin/iptables" OUTSIDE=eth0 VPN=tun0 VPN2=TUN1 # # Clear out any existing firewall rules, and any chains that might have # been created. Then set the default policies. $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Begin setting up the rulesets. First define some rule chains to handle # exception conditions. These chains will receive packets that we aren't # willing to pass. Limiters on logging are used so as to not to swamp the # firewall in a DOS scenario. # silent - Just drop it on the floor, used for internal traffic # badflags - Log packets with bad flags, most likely an attack # dropit - Log packets that that we refuse, possibly from an attack $IPTABLES -N silent $IPTABLES -A silent -j DROP $IPTABLES -N tcpflags #$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags: $IPTABLES -A tcpflags -j DROP $IPTABLES -N firewalled #$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled: $IPTABLES -A firewalled -j DROP # # These are all TCP flag combinations that should never, ever, occur in the # wild. All of these are illegal combinations that are used to attack a box # in various ways. $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags # # Allow selected ICMP types and drop the rest. $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewalled # # The loopback interface is inheritly trustworthy. Don't disable it or # a number of things on the firewall will break. $IPTABLES -A INPUT -i lo -j ACCEPT # # # IPs that need to be blocked for some reason. #$IPTABLES -A INPUT -i $OUTSIDE -s 173.186.200.78 -p tcp -j firewalled # # # Allow packets that are part of an established connection to pass # through the firewall. This is required for normal Internet activity # by inside clients. $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Silently drop any SMB traffic. We've slipped the surly bonds of windows # and are dancing on the silvery wings of Linux, so block that windows trash. $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent # # Various incoming stuff. $IPTABLES -A INPUT -i $VPN -d 0/0 -p tcp -j ACCEPT # Allow everything over VPN. $IPTABLES -A INPUT -i $VPN -d 0/0 -p udp -j ACCEPT # . $IPTABLES -A INPUT -i $VPN2 -d 0/0 -p udp -j ACCEPT # Same from other VPN. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT # SSH $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 25 -j ACCEPT # SMTP $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT # WWW #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 143 -j ACCEPT # IMAP disabled for now. $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 587 -j ACCEPT # mail submission for a friend $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 1194 -j ACCEPT # openvpn connections #$IPTABLES -A INPUT -i $OUTSIDE -s 204.155.28.10 -d 0/0 -p udp --dport 5060 -j ACCEPT # SIP from Sipgate #$IPTABLES -A INPUT -i $OUTSIDE -s 8.17.37.23 -d 0/0 -p udp --dport 5060 -j ACCEPT # SIP from Teliax only $IPTABLES -A INPUT -i $OUTSIDE -s 1.2.3.0/24 -d 0/0 -p tcp --dport 5900 -j ACCEPT # vnc $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 6667 -j ACCEPT # IRC # # Anything that hasn't already matched gets logged and then dropped. $IPTABLES -A INPUT -j firewalled # #