/
rc.firewall.basic
114 lines (86 loc) · 3.04 KB
/
rc.firewall.basic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/bash
#
# Iptables - Basic Firewall Script for Slackware
#
###########
# Usage
###########
#
# Slackware systems
# Copy to /etc/rc.d/rc.firewall
# Execute 'chmod +x /etc/rc.d/rc.firewall'
# Start by executing '/etc/rc.d/rc.firewall'
#
IPTABLES="/usr/sbin/iptables"
$IPTABLES -F
$IPTABLES -X
# Block WINDOWS noise
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 137 -j DROP
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
# Drop INVALID packets
$IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP
# Block packets in state new that are not syn
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Block port scans
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Accept everything from loopback
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# ICMP
###############
# Drop Pings
# $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Allow Ping
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# Drop fragmented ICMP packets
$IPTABLES -A INPUT --fragment -p ICMP -j DROP
# DROP INVALIDs
$IPTABLES -A INPUT -m state -p icmp --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# END ICMP
##############
# Services
###############
# Allow NTP
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 37 -j ACCEPT
# Allow SSH
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Allow HTTPD
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# Allow Torrents
# $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT
# $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port PORT1:PORT2 -j ACCEPT
# END Services
###############
# Logging
##########
# Log all pings
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j LOG \
--log-prefix "[ Ping detected: ]"
# Log everything else
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
--log-prefix "[ INPUT DROPPED ]"
$IPTABLES -A OUTPUT -m limit --limit 5/minute --limit-burst 3 -j LOG \
--log-prefix "[ OUTPUT DROPPED: ]"
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 3 -j LOG \
--log-prefix "[ FORWARD DROPPED ]"
# Global Accept
################
# Allow NEW, RELATED, ESTABLISHED connections
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# END Global
############
# Drop all other packets
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j DROP
# Backup rules to /etc/iptables.rules
/usr/sbin/iptables-save > /etc/iptables.rules