HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - View Single Post

fbifido · #3 9th November 2007, 22:13

I redid my iptable script,

Please have a look:

#!/bin/bash
#
# This script file will make a firewall that will be in memory.
# eth1 points to the internet.
# eth0 points to my network.

IPTABLES="/sbin/iptables"

# Remove any existing rules from all chains
$IPTABLES --flush
$IPTABLES --delete-chain

# Allow packet forwaring
echo "1" > /proc/sys/net/ipv4/ip_forward

# Set the default policy to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 8 -j ACCEPT # ICMP/Ping
$IPTABLES -A INPUT -p icmp -s 0/0 --icmp-type 11 -j ACCEPT # ICMP/Ping

$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

# Rules to allow ALTEROO to come into our system.
$IPTABLES -A INPUT -s 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT

# Enable all pipes to communicate with the firewall.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# Allow DNS zone transfers
$IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

# BAD GUYS, Block source IP Address.
$IPTABLES -A INPUT -s 192.168.0.39 -j DROP
$IPTABLES -A INPUT -s 192.168.0.57 -j DROP

# Open ports for outside of server users (webmail)
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs

$IPTABLES -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -i eth0 -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT # SMTP
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT # SSH
$IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT # FTP
$IPTABLES -A INPUT -i eth0 -p tcp --dport 631 -j ACCEPT # ipp printers
$IPTABLES -A INPUT -i eth0 -p tcp --dport 9100 -j ACCEPT # hp printers

# ---[ Application allowed on my network ]---

# MSN Messenger
$IPTABLES -A INPUT -i eth0 -p tcp --dport 6891:6892 -j ACCEPT # MSN file send
$IPTABLES -A INPUT -i eth0 -p tcp --dport 1863 -j ACCEPT # messaging
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5190 -j ACCEPT # video
$IPTABLES -A INPUT -i eth0 -p tcp --dport 6901 -j ACCEPT # voice

# Yahoo Messenger
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5000:5001 -j ACCEPT # voice chat
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5050 -j ACCEPT # messaging
$IPTABLES -A INPUT -i eth0 -p tcp --dport 5100 -j ACCEPT # webcam/video

# BitTorrent
$IPTABLES -A INPUT -s 192.168.0.21 -p tcp --dport 6881:6999 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.21 -p udp --dport 6881:6999 -j ACCEPT

# Global Rejects must come Last
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
$IPTABLES -A OUTPUT -j REJECT