{{{ #!/bin/sh #-----------------------------------------------------------------------
/sbin/iptables F /sbin/iptables -X block #flush all rules first ... # #---------------------------------------------------------------------- /sbin/iptables t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward #A little NAT, we'll need it, too. # #/usr/local/bin/iptables -t nat -A PREROUTING -i ! ppp0 -p tcp --dport 80 -j REDIRECT --to 194.152.207.52:4242 #some transparent proxying?? # /sbin/iptables -t nat -A PREROUTING -i ! ppp0 -p tcp --dport 6667 -j DNAT --to-destination 192.168.1.1:7000 #irc port redirection? # /sbin/iptables -N block #define our rule chain ... # #---------------------------------------------------------------------- /sbin/iptables A block -m state --state ESTABLISHED,RELATED -j ACCEPT #accept all established connections initiated by our side ... # /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 113 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 113 -i ppp0 -j ACCEPT #accept all connections on ident port # #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 6667 -j ACCEPT #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 6667 -j ACCEPT #accept all connections on ircd port # #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 22 -i ppp0 -j ACCEPT #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 22 -i ppp0 -j ACCEPT #accept all connections on ssh port - NOT! # /sbin/iptables A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 20 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 20 -i ppp0 -j ACCEPT #accept all connections on ftp-data port # /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 53 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 53 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol udp --dport 53 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol udp --sport 53 -i ppp0 -j ACCEPT #accept all connections on DNS ports # #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 4000 -i ppp0 -j ACCEPT #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 4000 -i ppp0 -j ACCEPT ##/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 4242 -i ppp0 -j ACCEPT ##/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 4242 -i ppp0 -j ACCEPT #accept all connections on our strange proxy port # /sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT #accept all connections originating on our local interfaces # /sbin/iptables -A block -j DROP #default policy is drop, of course # /sbin/iptables -A INPUT -j block #all in input chain we forward to our rules... # /sbin/iptables -A FORWARD -j block #and forward chain,too. # /sbin/iptables -A FORWARD -m limit -j LOG #do a little, of course limited, logging. # /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j LOG #SYNflood protection # /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG #ping of death protection # #---------------------------------------------------------------------- #that's all folks, for now.
}}}