From: "hare ram" <hareram@sol.net.in>
To: system@eluminoustechnologies.com,
iptables <netfilter@lists.netfilter.org>
Subject: Re: Firewalll script
Date: Mon, 23 Dec 2002 19:52:48 +0530 [thread overview]
Message-ID: <01ca01c2aa8e$c51ec040$13fcc5cb@Housecall> (raw)
In-Reply-To: 00cc01c2aa7f$64e82860$1a01a8c0@vishal
[-- Attachment #1: Type: text/plain, Size: 6279 bytes --]
Hi
check the Iptables Place
is this correct, suppose to be /sbin/iptables ( depend on distro using)
IPTABLES="//sbin/iptables"
better you run the script from console, so you will find, if any errors in the script
hare
----- Original Message -----
From: system@eluminoustechnologies.com
To: iptables
Sent: Monday, December 23, 2002 6:02 PM
Subject: Firewalll script
Hi All,
Following is the policy that my firewall generation script gives, but my system hangs when i execute this, I am using ssh to execute this script. My aim is very simple to close all unused ports. My entire scripts goes like this. Can you please help me in correcting the script.
############################################################################
#######
# IPTABLES Firewalll script
# written by ts
############################################################################
#######
#!/bin/sh
IPTABLES="//sbin/iptables"
echo "Flushing rules..."
$IPTABLES -F
$IPTABLES -X
#Set default policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
LOOP_IF="lo"
###########################################################################
#----Set network sysctl options-----#
echo "--Setting sysctl options--"
echo "Disabling IP Spoofing attacks"
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo "Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "Reducing DoS'ing ability by reducing timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Done..."
#########################################################################
echo "--Setting up standard rules--"
echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo "Enabling SYN-FLOODING PROTECTION"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
echo "Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "Logging fragments caught"
$IPTABLES -N fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j DROP
echo "Refusing spoofed packets pretending to be from your IP address"
#$IPTABLES -A INPUT -s $NET_IPADDR -j DROP
echo "Done..."
##########################################################################
echo "--Setting up user defined chains--"
echo "Allow SSH(22/tcp)"
$IPTABLES -A INPUT -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
echo "Allow ftp"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
echo "Passive ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT
echo "Allow IMAP2"
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
echo "Allow HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
echo "Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
echo "Allow plesk admin"
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 8443 -j ACCEPT
echo "Rejecting all connections to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport 137:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -j DROP
echo "Allowing SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT
echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
echo "Rejecting all other packets"
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
echo "Done..."
############################################################################
#####
echo "Firewall construction completed"
[-- Attachment #2: Type: text/html, Size: 8254 bytes --]
next prev parent reply other threads:[~2002-12-23 14:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-23 12:32 Firewalll script system
2002-12-23 14:22 ` hare ram [this message]
2002-12-23 15:14 ` Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='01ca01c2aa8e$c51ec040$13fcc5cb@Housecall' \
--to=hareram@sol.net.in \
--cc=netfilter@lists.netfilter.org \
--cc=system@eluminoustechnologies.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.