LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-23-2005, 11:07 PM   #1
sh1ft
Member
 
Registered: Feb 2004
Location: Ottawa, Ontario, Can
Distribution: Slackware, ubuntu
Posts: 391

Rep: Reputation: 31
Cool my first iptables script


Hey I was bored so I thought I'd play around with iptables for a bit. This is my first attempt at a script from scratch, I tried to take the best bits from various tutorials and combine them into one.

For a standalone machine on a large university network behind nat.

If there's anything you guys think I should add, or that is redundant or broken feel free to tell me, I would be grateful. I tried to make it as simple as possible without sacrificing security, therefore I didn't want to use variables or any excessive crap.


Code:
#!/bin/sh
#load connection tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

#drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP

#make new chain to drop bad tcp packets 
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset 
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#drop pings
iptables -A INPUT -p icmp -j DROP

#allow traffic to loopback
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

#prevent spoofing of loopback from outside
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP

#stateful filtering just because I can
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j bad_tcp_packets

#some rules to keep ping working
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT

#accept connections for bittorrent 
#(i use this port because its the only one which works on the residence network)
iptables -A INPUT -p tcp -i eth0 --dport 179 -m state --state NEW -j ACCEPT

#accept outbound connections to loopback
iptables -A OUTPUT -o lo -j ACCEPT

#more stateful outbound rules
iptables -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j bad_tcp_packets

#accept outbound connections from non-privelegded ports
iptables -A OUTPUT -o eth0 -p tcp --sport 1024: -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 1024: -j ACCEPT

#more ping stuff
iptables -A OUTPUT -o eth0 -p icmp --icmp-type ! redirect -j ACCEPT
 
Old 02-24-2005, 05:17 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,539

Rep: Reputation: 149Reputation: 149
It's rather too restrictive. From what I see you don't allow replies to your own packets. Add rule for ESTABLISHED, RELATED for INPUT chain (like the one you have for OUTPUT.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
iptables script thegreatest Linux - Security 1 11-30-2005 06:24 AM
Yet another iptables script Cron Linux - Networking 0 03-12-2005 12:11 PM
IPTABLES script tarballedtux Linux - Security 7 05-11-2002 06:50 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM


All times are GMT -5. The time now is 11:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration