#!/bin/sh #------------------------------------------------------------------------------ # This is an example host-only firewall. It could be applied to NAT as well # if needed. It firewalls off by an interface but allows a local network # to connect. Note if re-using the script you WILL NEED TO MODIFY WHICH # THE ALLOWED ADDRESS as unused non-internet addresses _are_blocked_ #------------------------------------------------------------------------------ IF=eth0 IPTABLES=/usr/sbin/iptables #flush tables $IPTABLES -F # DUMP - we are not even going to examine these packets $IPTABLES -N DUMP > /dev/null $IPTABLES -F DUMP $IPTABLES -A DUMP -p tcp -j LOG $IPTABLES -A DUMP -p udp -j LOG $IPTABLES -A DUMP -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A DUMP -j DROP # Stateful table - setup the state table $IPTABLES -N STATEFUL > /dev/null $IPTABLES -F STATEFUL $IPTABLES -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A STATEFUL -m state --state NEW -i ! $IF -j ACCEPT $IPTABLES -A STATEFUL -j DUMP # loopback rules - for local service level processes who need it $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # drop reserved addresses incoming (these are reserved addresses # but may change soon) # NOTE: We allow the top of 10/8 because it is local $IPTABLES -A INPUT -i $IF -s 0.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 1.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 2.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 5.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 7.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 10.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 23.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 27.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 31.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 36.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 39.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 41.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 42.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 58.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 59.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 60.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 127.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 169.254.0.0/16 -j DUMP $IPTABLES -A INPUT -i $IF -s 172.16.0.0/12 -j DUMP #$IPTABLES -A INPUT -i $IF -s 192.168.0.0/16 -j DUMP $IPTABLES -A INPUT -i $IF -s 197.0.0.0/8 -j DUMP $IPTABLES -A INPUT -i $IF -s 224.0.0.0/3 -j DUMP $IPTABLES -A INPUT -i $IF -s 240.0.0.0/8 -j DUMP # allow certain inbound ICMP types (ping, traceroute..) $IPTABLES -A INPUT -i $IF -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT # Drop all packets to port 111 except those from localhost #$IPTABLES -A INPUT -s !127.0.0.0/8 -p tcp --dport 111 -j DROP # kill off identd quick $IPTABLES -A INPUT -p tcp -i $IF --dport 113 -j REJECT --reject-with tcp-reset # ssh $IPTABLES -A INPUT -p tcp -i $IF --dport 22 -j ACCEPT $IPTABLES -A INPUT -p udp -i $IF --dport 22 -j ACCEPT # proxy-www $IPTABLES -A INPUT -p tcp -i $IF --dport 8080 -j ACCEPT $IPTABLES -A INPUT -p udp -i $IF --dport 8080 -j ACCEPT # Don't log route packets coming from routers - too much logging $IPTABLES -A INPUT -p udp -i $IF --dport 520 -j REJECT # Don't log smb/windows sharing packets - too much logging $IPTABLES -A INPUT -p tcp -i $IF --dport 137:139 -j REJECT $IPTABLES -A INPUT -p udp -i $IF --dport 137:139 -j REJECT