Hey I was bored so I thought I'd play around with iptables for a bit. This is my first attempt at a script from scratch, I tried to take the best bits from various tutorials and combine them into one.
For a standalone machine on a large university network behind nat.
If there's anything you guys think I should add, or that is redundant or broken feel free to tell me, I would be grateful. I tried to make it as simple as possible without sacrificing security, therefore I didn't want to use variables or any excessive crap.
Code:
#!/bin/sh
#load connection tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
#make new chain to drop bad tcp packets
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#drop pings
iptables -A INPUT -p icmp -j DROP
#allow traffic to loopback
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
#prevent spoofing of loopback from outside
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
#stateful filtering just because I can
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j bad_tcp_packets
#some rules to keep ping working
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
#accept connections for bittorrent
#(i use this port because its the only one which works on the residence network)
iptables -A INPUT -p tcp -i eth0 --dport 179 -m state --state NEW -j ACCEPT
#accept outbound connections to loopback
iptables -A OUTPUT -o lo -j ACCEPT
#more stateful outbound rules
iptables -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#accept outbound connections from non-privelegded ports
iptables -A OUTPUT -o eth0 -p tcp --sport 1024: -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 1024: -j ACCEPT
#more ping stuff
iptables -A OUTPUT -o eth0 -p icmp --icmp-type ! redirect -j ACCEPT