mechtn's firewall script - Printable Version +- Linux-Noob Forums (https://www.linux-noob.com/forums) +-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html) +--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html) +--- Thread: mechtn's firewall script (/thread-2579.html) |
mechtn's firewall script - mechtn - 2005-06-27 Here is my iptables firewall script. I'm currently in the process of learning iptables and this is where i'm keeping my most recent and update to date working version. I plan on keeping the script well documented for other noobs like myself so try it out if your looking to get into iptables. Iptables 1.2.11 Gentoo 2.6.11 r11 firewall.sh ------------------------------ #!/bin/sh # Define variables with location to iptables IPTABLES=/sbin/iptables # Define external and internal interface EXTIF="eth1" INTIF="eth0" # Enabling ip fowarding and dynamicaddr echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Clearing any existing rules and setting default policy $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F # FOWARD $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p tcp -m multiport --dports 21,25,80,110,1723,3389,3450,3500,6881 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 3389:3500 -i $EXTIF -j ACCEPT $IPTABLES -A FORWARD -p tcp -d 10.10.23.95 --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -p udp -d 10.10.23.80 --dport 6881 -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i eth0 -d 10.10.24.0/24 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # VPN $IPTABLES -A FORWARD -i $EXTIF -p 47 -d 10.10.23.95 -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp -d 10.10.23.95 --dport 1723 -j ACCEPT $IPTABLES -A FORWARD -j LOG #INPUT # Accept all traffic from internal network $IPTABLES -A INPUT -i $INTIF -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i eth0 -d 10.10.24.0/24 -j ACCEPT #VPN $IPTABLES -A INPUT -p 47 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT #Example Allow tcp for a single port $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p tcp --dport 53 -j ACCEPT $IPTABLES -A FORWARD -p tcp -d 10.10.23.48 --dport 5631 -j ACCEPT $IPTABLES -A FORWARD -p udp -d 10.10.23.48 --dport 5632 -j ACCEPT # PREROUTING $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 21 -j DNAT --to 10.10.23.3:21 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5631 -j DNAT --to 10.10.23.48:5631 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 5632 -j DNAT --to 10.10.23.48:5632 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 25 -j DNAT --to 10.10.23.3:25 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to 10.10.23.95:80 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 110 -j DNAT --to 10.10.23.95:110 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6881 -j DNAT --to 10.10.23.80:6881 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 6881 -j DNAT --to 10.10.23.80:6881 # RDP (open ports: 3399, 3405, 3410, 3423, 3430, 3448) $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to 10.10.23.95:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3390 -j DNAT --to 10.10.23.98:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3391 -j DNAT --to 10.10.23.80:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3392 -j DNAT --to 10.10.23.166:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3393 -j DNAT --to 10.10.23.159:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3394 -j DNAT --to 10.10.23.16:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3395 -j DNAT --to 10.10.23.88:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3396 -j DNAT --to 10.10.23.40:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3397 -j DNAT --to 10.10.23.97:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3398 -j DNAT --to 10.10.23.23:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3400 -j DNAT --to 10.10.23.146:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3401 -j DNAT --to 10.10.23.66:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3402 -j DNAT --to 10.10.23.121:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3403 -j DNAT --to 10.10.23.20:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3404 -j DNAT --to 10.10.23.120:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3406 -j DNAT --to 10.10.23.191:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3407 -j DNAT --to 10.10.23.180:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3408 -j DNAT --to 10.10.23.71:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3409 -j DNAT --to 10.10.23.45:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3411 -j DNAT --to 10.10.23.116:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3412 -j DNAT --to 10.10.23.101:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3413 -j DNAT --to 10.10.23.165:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3414 -j DNAT --to 10.10.23.43:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3415 -j DNAT --to 10.10.23.181:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3416 -j DNAT --to 10.10.23.143:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3417 -j DNAT --to 10.10.23.209:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3418 -j DNAT --to 10.10.23.85:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3419 -j DNAT --to 10.10.23.73:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3420 -j DNAT --to 10.10.23.129:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3421 -j DNAT --to 10.10.23.140:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3422 -j DNAT --to 10.10.23.172:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3423 -j DNAT --to 10.10.24.155:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3424 -j DNAT --to 10.10.24.155:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3425 -j DNAT --to 10.10.23.29:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3426 -j DNAT --to 10.10.23.158:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3427 -j DNAT --to 10.10.23.117:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3428 -j DNAT --to 10.10.23.207:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3429 -j DNAT --to 10.10.23.142:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3431 -j DNAT --to 10.10.23.122:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3432 -j DNAT --to 10.10.23.86:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3433 -j DNAT --to 10.10.23.134:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3434 -j DNAT --to 10.10.23.137:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3435 -j DNAT --to 10.10.23.149:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3436 -j DNAT --to 10.10.23.126:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3437 -j DNAT --to 10.10.23.57:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3438 -j DNAT --to 10.10.23.227:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3439 -j DNAT --to 10.10.23.34:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3440 -j DNAT --to 10.10.23.234:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3441 -j DNAT --to 10.10.24.99:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3442 -j DNAT --to 10.10.23.125:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3443 -j DNAT --to 10.10.23.189:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3444 -j DNAT --to 10.10.23.161:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3445 -j DNAT --to 10.10.23.202:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3446 -j DNAT --to 10.10.23.53:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3447 -j DNAT --to 10.10.23.182:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3449 -j DNAT --to 10.10.23.116:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3450 -j DNAT --to 10.10.23.114:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3451 -j DNAT --to 10.10.24.157:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3452 -j DNAT --to 10.10.23.65:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3453 -j DNAT --to 10.10.23.70:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3454 -j DNAT --to 10.10.23.220:3389 $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3500 -j DNAT --to 10.10.23.22:3389 # VPN $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 1723 -j DNAT --to 10.10.23.95:1723 $IPTABLES -t nat -A PREROUTING -p 47 -i $EXTIF -j DNAT --to 10.10.23.95 #$IPTABLES -t nat -A PREROUTING -p tcp -d 64.247.238.178 --dport 80 -j DNAT --to-destination 10.10.23.95 #$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.10.23.1 -j SNAT --to-source 10.10.23.95:80 #$IPTABLES -t nat -A OUTPUT --dst 64.247.238.178 -p tcp --dport 80 -j DNAT --to-destination 10.10.23.95 #$IPTABLES -t nat -A PREROUTING --dst 64.247.238.178 -p tcp --dport 80 -j DNAT --to-destination 10.10.23.95 #$IPTABLES -t nat -A POSTROUTING -p tcp --dst 10.10.23.95 --dport 80 -j SNAT --to-source 10.10.23.1 # POSTROUTING $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE ------------------------------ If you have any questions, you can find me on #linux-noob on efnet as mechtn or just leave me a reply here. More documentation to come soon! mechtn's firewall script - mechtn - 2005-06-27 ..... mechtn's firewall script - mechtn - 2005-06-27 ..... mechtn's firewall script - anyweb - 2005-06-29 dude what distro etc ? more details, any errors ? what is/is not working ? also, what exactly are you trying to do cheers anyweb mechtn's firewall script - mechtn - 2005-10-04 # Generated by iptables-save v1.2.11 on Tue Oct 4 11:38:00 2005 *nat :PREROUTING ACCEPT [4580542:426250850] :POSTROUTING ACCEPT [282533:27972284] :OUTPUT ACCEPT [9248:700140] -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.10.23.3:21 -A PREROUTING -i eth1 -p tcp -m tcp --dport 5631 -j DNAT --to-destination 10.10.23.48:5631 -A PREROUTING -i eth1 -p udp -m udp --dport 5632 -j DNAT --to-destination 10.10.23.48:5632 -A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.10.23.3:25 -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.23.95:80 -A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.10.23.95:110 -A PREROUTING -i eth1 -p tcp -m tcp --dport 6881 -j DNAT --to-destination 10.10.23.80:6881 -A PREROUTING -i eth1 -p udp -m udp --dport 6881 -j DNAT --to-destination 10.10.23.80:6881 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.10.23.95:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 10.10.23.98:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 10.10.23.80:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3392 -j DNAT --to-destination 10.10.23.166:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3393 -j DNAT --to-destination 10.10.23.159:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3394 -j DNAT --to-destination 10.10.23.16:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3395 -j DNAT --to-destination 10.10.23.88:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3396 -j DNAT --to-destination 10.10.23.40:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3397 -j DNAT --to-destination 10.10.23.97:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3398 -j DNAT --to-destination 10.10.23.23:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3400 -j DNAT --to-destination 10.10.23.146:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3401 -j DNAT --to-destination 10.10.23.66:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3402 -j DNAT --to-destination 10.10.23.121:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3403 -j DNAT --to-destination 10.10.23.20:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3404 -j DNAT --to-destination 10.10.23.120:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3406 -j DNAT --to-destination 10.10.23.191:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3407 -j DNAT --to-destination 10.10.23.180:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3408 -j DNAT --to-destination 10.10.23.71:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3409 -j DNAT --to-destination 10.10.23.45:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3411 -j DNAT --to-destination 10.10.23.116:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3412 -j DNAT --to-destination 10.10.23.101:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3413 -j DNAT --to-destination 10.10.23.165:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3414 -j DNAT --to-destination 10.10.23.43:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3415 -j DNAT --to-destination 10.10.23.181:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3416 -j DNAT --to-destination 10.10.23.143:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3417 -j DNAT --to-destination 10.10.23.209:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3418 -j DNAT --to-destination 10.10.23.85:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3419 -j DNAT --to-destination 10.10.23.73:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3420 -j DNAT --to-destination 10.10.23.129:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3421 -j DNAT --to-destination 10.10.23.140:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3422 -j DNAT --to-destination 10.10.23.172:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3423 -j DNAT --to-destination 10.10.24.155:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3424 -j DNAT --to-destination 10.10.24.155:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3425 -j DNAT --to-destination 10.10.23.29:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3426 -j DNAT --to-destination 10.10.23.158:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3427 -j DNAT --to-destination 10.10.23.117:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3428 -j DNAT --to-destination 10.10.23.207:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3429 -j DNAT --to-destination 10.10.23.142:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3431 -j DNAT --to-destination 10.10.23.122:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3432 -j DNAT --to-destination 10.10.23.86:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3433 -j DNAT --to-destination 10.10.23.134:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3434 -j DNAT --to-destination 10.10.23.137:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3435 -j DNAT --to-destination 10.10.23.149:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3436 -j DNAT --to-destination 10.10.23.126:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3437 -j DNAT --to-destination 10.10.23.57:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3438 -j DNAT --to-destination 10.10.23.227:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3439 -j DNAT --to-destination 10.10.23.34:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3440 -j DNAT --to-destination 10.10.23.234:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3441 -j DNAT --to-destination 10.10.24.99:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3442 -j DNAT --to-destination 10.10.23.125:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3443 -j DNAT --to-destination 10.10.23.189:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3444 -j DNAT --to-destination 10.10.23.161:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3445 -j DNAT --to-destination 10.10.23.202:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3446 -j DNAT --to-destination 10.10.23.53:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3447 -j DNAT --to-destination 10.10.23.182:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3449 -j DNAT --to-destination 10.10.23.116:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3450 -j DNAT --to-destination 10.10.23.114:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3451 -j DNAT --to-destination 10.10.24.157:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3452 -j DNAT --to-destination 10.10.23.65:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3453 -j DNAT --to-destination 10.10.23.70:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3454 -j DNAT --to-destination 10.10.23.220:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 3500 -j DNAT --to-destination 10.10.23.22:3389 -A PREROUTING -i eth1 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 10.10.23.95:1723 -A PREROUTING -i eth1 -p gre -j DNAT --to-destination 10.10.23.95 -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Tue Oct 4 11:38:00 2005 # Generated by iptables-save v1.2.11 on Tue Oct 4 11:38:00 2005 *mangle :PREROUTING ACCEPT [109072319:61314970621] :INPUT ACCEPT [6816859:842823101] :FORWARD ACCEPT [102406854:60502331385] :OUTPUT ACCEPT [5668140:665317946] :POSTROUTING ACCEPT [107990157:61163410755] COMMIT # Completed on Tue Oct 4 11:38:00 2005 # Generated by iptables-save v1.2.11 on Tue Oct 4 11:38:00 2005 *filter :INPUT DROP [29:1564] :FORWARD DROP [0:0] :OUTPUT ACCEPT [2827:355089] :bad_packets - [0:0] :bad_tcp_packets - [0:0] :icmp_packets - [0:0] :tcp_inbound - [0:0] :tcp_outbound - [0:0] :udp_inbound - [0:0] :udp_outbound - [0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 10.10.24.0/255.255.255.0 -i eth0 -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m multiport --dports 21,25,80,110,1723,3389,3450,3500,6881 -j ACCEPT -A FORWARD -i eth1 -p tcp -m tcp --dport 3389:3500 -j ACCEPT -A FORWARD -d 10.10.23.95 -p tcp -m tcp --dport 1723 -j ACCEPT -A FORWARD -d 10.10.23.80 -p udp -m udp --dport 6881 -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -d 10.10.24.0/255.255.255.0 -i eth0 -j ACCEPT -A FORWARD -d 10.10.23.95 -i eth1 -p gre -j ACCEPT -A FORWARD -d 10.10.23.95 -i eth1 -p tcp -m tcp --dport 1723 -j ACCEPT -A FORWARD -j LOG -A FORWARD -d 10.10.23.48 -p tcp -m tcp --dport 5631 -j ACCEPT -A FORWARD -d 10.10.23.48 -p udp -m udp --dport 5632 -j ACCEPT -A bad_packets -s 10.10.23.0/255.255.255.0 -i eth1 -j LOG --log-prefix "Illegal source: " -A bad_packets -s 10.10.23.0/255.255.255.0 -i eth1 -j DROP -A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: " -A bad_packets -m state --state INVALID -j DROP -A bad_packets -p tcp -j bad_tcp_packets -A bad_packets -j RETURN -A bad_tcp_packets -i eth0 -p tcp -j RETURN -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A bad_tcp_packets -p tcp -j RETURN -A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: " -A icmp_packets -p icmp -f -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -j RETURN -A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT -A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT -A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT -A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT -A tcp_inbound -p tcp -j RETURN -A tcp_outbound -p tcp -j ACCEPT -A udp_inbound -p udp -m udp --dport 137 -j DROP -A udp_inbound -p udp -m udp --dport 138 -j DROP -A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A udp_inbound -p udp -j RETURN -A udp_outbound -p udp -j ACCEPT COMMIT # Completed on Tue Oct 4 11:38:00 2005 mechtn's firewall script - asbani - 2005-10-10 He probably wanted to prove his iptables security, and share it with people to secure their servers? I'm not sure tho. |