FireWall: Revision 7 / RazmjenaVjestina

RazmjenaVjestina
FireWall: Revision 7
#!/bin/sh
#----
---------------------------------------------------------------
----
# beware, comments FOLLOW the rules, not precede them.
#
/sbin/iptables -F
/sbin/iptables -X block
#flush all rules first ...
#
#----
---------------------------------------------------------------
----
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
#A little NAT, we'll need it, too.
#
#/usr/local/bin/iptables -t nat -A PREROUTING -i ! ppp0 -p tcp --dport 80 -j REDIRECT --to 194.152.207.52:4242
#some transparent proxying??
#
/sbin/iptables -t nat -A PREROUTING -i ! ppp0 -p tcp --dport 6667 -j DNAT --to-destination 192.168.1.1:7000
#irc port redirection?
#
/sbin/iptables -N block
#define our rule chain ...
#
#----
---------------------------------------------------------------
----
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#accept _all_ established connections initiated by our side ...
#
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 113 -i ppp0 -j ACCEPT
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 113 -i ppp0 -j ACCEPT
#accept _all_ connections on *ident* port
#
#/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 6667 -j ACCEPT
#/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 6667 -j ACCEPT
#accept _all_ connections on *ircd* port
#
#/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 22 -i ppp0 -j ACCEPT
#/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 22 -i ppp0 -j ACCEPT
#accept _all_ connections on *ssh* port -- NOT!
#
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 20 -i ppp0 -j ACCEPT
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 20 -i ppp0 -j ACCEPT
#accept _all_ connections on *ftp-data* port
#
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 53 -i ppp0 -j ACCEPT
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 53 -i ppp0 -j ACCEPT
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol udp --dport 53 -i ppp0 -j ACCEPT
/sbin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol udp --sport 53 -i ppp0 -j ACCEPT
#accept _all_ connections on *DNS* ports
#
#/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 4000 -i ppp0 -j ACCEPT
#/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 4000 -i ppp0 -j ACCEPT
##/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --dport 4242 -i ppp0 -j ACCEPT
##/usr/local/bin/iptables -A block -m state --state NEW,ESTABLISHED,RELATED --protocol tcp --sport 4242 -i ppp0 -j ACCEPT
#accept _all_ connections on our strange proxy port
#
/sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
#accept _all_ connections originating on our local interfaces
#
/sbin/iptables -A block -j DROP
#default policy is drop, of course
#
/sbin/iptables -A INPUT -j block
#all in input chain we forward to our rules...
#
/sbin/iptables -A FORWARD -j block
#and forward chain,too.
#
/sbin/iptables -A FORWARD -m limit -j LOG
#do a little, of course limited, logging.
#
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j LOG
#SYNflood protection
#
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG
#ping of death protection
#
#----
---------------------------------------------------------------
----
#that's all folks, for now.
original May 9 2:08am