I added the following section to your existing script:
Code:
# Clear the existing firewall rules
iptables -P INPUT DROP # Set default policy to DROP
iptables -P FORWARD DROP # Set default policy to DROP
iptables -P OUTPUT DROP # Set default policy to DROP
iptables -F # Flush all chains
iptables -X # Delete all userchains
for table in filter nat mangle
do
iptables -t $table -F # Delete the table's rules
iptables -t $table -X # Delete the table's chains
iptables -t $table -Z # Zero the table's counters
done
Here is the modified script:
Code:
#!/bin/sh
# Begin /bin/firewall-start
# Insert connection-tracking modules (not needed if built into the kernel).
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
# Clear the existing firewall rules
iptables -P INPUT DROP # Set default policy to DROP
iptables -P FORWARD DROP # Set default policy to DROP
iptables -P OUTPUT DROP # Set default policy to DROP
iptables -F # Flush all chains
iptables -X # Delete all userchains
for table in filter nat mangle
do
iptables -t $table -F # Delete the table's rules
iptables -t $table -X # Delete the table's chains
iptables -t $table -Z # Zero the table's counters
done
# allow full access only to 10.108.147.3
#iptables -A INPUT -i eth0 -s 10.108.147.3 -j ACCEPT
# allow everything only for port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# anti-flooding modul
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
# free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else: What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
# set a sane policy: everything not accepted > /dev/null
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT DROP
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable ExplicitCongestionNotification - too many routers are still
# ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# If you are frequently accessing ftp-servers or enjoy chatting you might
# notice certain delays because some implementations of these daemons have
# the feature of querying an identd on your box for your username for
# logging. Although there's really no harm in this, having an identd
# running is not recommended because some implementations are known to be
# vulnerable.
# To avoid these delays you could reject the requests with a 'tcp-reset':
#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
#iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT
# To log and drop invalid packets, mostly harmless packets that came in
# after netfilter's timeout, sometimes scans:
#iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ "FIREWALL:INVALID"
#iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP
# End /bin/firewall-start
Try this and see if it does what you are looking for.
Regards,
Fordeck
