RazmjenaVjestina
FireWall: Revision 7
#!/bin/sh #---- --------------------------------------------------------------- ---- # beware, comments FOLLOW the rules, not precede them. # /sbin/iptables -F /sbin/iptables -X block #flush all rules first ... # #---- --------------------------------------------------------------- ---- /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward #A little NAT, we'll need it, too. # #/usr/local/bin/iptables -t nat -A PREROUTING -i ! ppp0 -p tcp --dport 80 -j REDIRECT --to 194.152.207.52:4242 #some transparent proxying?? # /sbin/iptables -t nat -A PREROUTING -i ! ppp0 -p tcp --dport 6667 -j DNAT --to-destination 192.168.1.1:7000 #irc port redirection? # /sbin/iptables -N block #define our rule chain ... # #---- --------------------------------------------------------------- ---- /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT #accept _all_ established connections initiated by our side ... # /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 113 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 113 -i ppp0 -j ACCEPT #accept _all_ connections on *ident* port # #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 6667 -j ACCEPT #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 6667 -j ACCEPT #accept _all_ connections on *ircd* port # #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 22 -i ppp0 -j ACCEPT #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 22 -i ppp0 -j ACCEPT #accept _all_ connections on *ssh* port -- NOT! # /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 20 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 20 -i ppp0 -j ACCEPT #accept _all_ connections on *ftp-data* port # /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 53 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 53 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol udp --dport 53 -i ppp0 -j ACCEPT /sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol udp --sport 53 -i ppp0 -j ACCEPT #accept _all_ connections on *DNS* ports # #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 4000 -i ppp0 -j ACCEPT #/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 4000 -i ppp0 -j ACCEPT ##/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 4242 -i ppp0 -j ACCEPT ##/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 4242 -i ppp0 -j ACCEPT #accept _all_ connections on our strange proxy port # /sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT #accept _all_ connections originating on our local interfaces # /sbin/iptables -A block -j DROP #default policy is drop, of course # /sbin/iptables -A INPUT -j block #all in input chain we forward to our rules... # /sbin/iptables -A FORWARD -j block #and forward chain,too. # /sbin/iptables -A FORWARD -m limit -j LOG #do a little, of course limited, logging. # /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j LOG #SYNflood protection # /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG #ping of death protection # #---- --------------------------------------------------------------- ---- #that's all folks, for now. original May 9 2:08am |