Here's the script, BTW
Quote:
#!/bin/sh
#Ethernet card interface to Internet. DHCP Assigned Cable Internet.
INET_IP=""
INET_IFACE="eth0"
#Load iptables/netfilter modules.
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
#Drop all incoming, outgoing and forwarding packets.
iptables -P INPUT DROP #Drops all incoming packets from all interfaces.
iptables -P OUTPUT DROP #Drops all outgoing packets from all interfaces.
iptables -P FORWARD DROP #Drops all forwarding packets from all interfaces.
#The weakest link
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#Accept certain incoming ICMP packet types.
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
#Drop certain incoming ICMP packet types.
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level --log-prefix PING-REQUEST
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP
#Active FTP.
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT
#Syn-flood protection.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
#Drop nasty flags.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level --log-prefix
BAD_FLAG ! L1"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level --log-prefix
BAD_FLAG ! L2"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level --log-prefix BAD_FLAG
! L3"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level --log-prefix
BAD_FLAG ! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level --log-prefix
BAD_FLAG ! L5"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#Stealth port scanner protection.
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A syn-flood -j LOG --log-level --log-prefix SYN Flood stopped
#Ping of death protection.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
|
Thanks a lot in advance
|