Monday, November 17, 2008

/root/firewall

##### /root/firewall #####
##### and chmod 700 /root/firewall #####
#! /bin/sh
##### Configure both network interfaces ######
# Delete and flush. Default table is "filter". Others like "nat"
# must be explicitly stated.
/sbin/iptables --flush
#####- Flush all the rules in filter and nat tables
/sbin/iptables -t nat -F
/sbin/iptables --delete-chain
#####- Delete all chains that are not in default filter and nat table
/sbin/iptables --table nat --delete-chain
#####Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#####Allow loopback access. This rule must come before the rules
#####denying port access!!
/sbin/iptables -A INPUT -i lo -p all -j ACCEPT
#####- Essential rule so your computer to be able to access itself
##### through the loopback interface
/sbin/iptables -A OUTPUT -o lo -p all -j ACCEPT
##### Catch port 80 and redirect to port 3128 #####
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

##### Redirect RDP port to 10.0.0.99 #####
#/sbin/iptables -t nat -A PREROUTING -t nat -p tcp -d 10.0.0.X --dport 5900 -j DNAT --to 10.0.0.Y:5900
/sbin/iptables -t nat -A PREROUTING -t nat -p tcp --dport 3389 -j DNAT --to 10.0.0.Y:3389

##### Block your kids/customers/employees from connecting to squid #####
##### directly order to bypass the filter. #####
/sbin/iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
################# Allow rules ##############################
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#####- Accept established connections
/sbin/iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
##### Reject ICMP-port #####
/sbin/iptables -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
#####- Open secure shell port ######
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#####- Open secure shell port ######
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#####- Open HTTP and Proxy port
#/sbin/iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
##### Open icp port connection for proxy
/sbin/iptables -A INPUT -p tcp --dport 3130 -j ACCEPT
##### Open DNS port
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
##### Open DHCP port
#/sbin/iptables -A INPUT -p udp --dport 67 --sport 68 -j ACCEPT
##### Allow all SMTP traffic #####
#/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
##### Allow access to the VPN service
#/sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
#/sbin/iptables -A INPUT -i tun+ -j ACCEPT
#/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
##### Allow access to Remote Desktop
/sbin/iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
##### Allow access to ntop Network monitor
#/sbin/iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
################## Drop all rules #############################
/sbin/iptables -P INPUT DROP
#####- Drop all other connection attempts. Only connections defined
##### above are allowed.

##### Log all rejected packets to syslog (useful for debugging) #####
/sbin/iptables -A INPUT -j LOG --log-level warn --log-prefix "[DENIED] "
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)