From: mdew <mdew@mdew.dyndns.org>
To: netfilter <netfilter@lists.netfilter.org>
Subject: New Script
Date: 10 Jan 2003 01:38:56 +1300 [thread overview]
Message-ID: <1042115936.423.58.camel@nirvana> (raw)
Ok, after taking a few samples from scripts in the mailing list, Ive
come up with this...hopefully my edonkey problem has been solved with
this script. I havent actually tested this yet, Probably tomorrow (its a
bit late)
current Router setup.
(Internet) 210.54.175.12->eth0---Router--->eth1 10.0.0.6 -=> 10.0.0.x
#!/bin/bash
IPTABLES="/sbin/iptables"
PAUL="10.0.0.9"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Executing The Firwall..."
echo ""
echo -n "Loading Modules..."
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_state
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
echo -n "Done"
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo "Refusing spoofed packets pretending to be from your IP address"
$IPTABLES -A INPUT -s 210.54.175.12 -j DROP
echo "Allow SSH"
# Is this correct?
$IPTABLES -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --sport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
echo "Allow ftp"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
echo "Passive ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state
--state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow DNS"
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
echo "Allow SFTP"
$IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT
echo "Allow HTTP"
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
echo "Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
echo "Rejecting all connections to 135:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport 135:139 -j NETBIOS
$IPTABLES -A INPUT -p tcp --sport 135:139 -j NETBIOS
$IPTABLES -A INPUT -p udp --dport 135:139 -j NETBIOS
$IPTABLES -A INPUT -p tcp --dport 135:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -j DROP
echo "Limit port 4665 traffic to PAUL"
$IPTABLES -N PAULS_STUFF
$IPTABLES -A FORWARD -p tcp -s $PAUL --dport 4665 -m limit --limit
1/hour -j PAULS_STUFF
$IPTABLES -A FORWARD -p udp -s $PAUL --dport 4665 -m limit --limit
1/hour -j PAULS_STUFF
$IPTABLES -A FORWARD -p udp -s $PAUL --sport 4665 -m limit --limit
1/hour -j PAULS_STUFF
$IPTABLES -A FORWARD -p tcp -s $PAUL --sport 4665 -m limit --limit
1/hour -j PAULS_STUFF
$IPTABLES -A PAULS_STUFF -j LOG --log-prefix "IPTABLES PAUL: "
$IPTABLES -A PAULS_STUFF -j ACCEPT
echo "Allowing SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT
echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
echo "Allowing Netmeeting/MSN"
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j \
REDIRECT --to-ports 1863
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 389 -j \
REDIRECT --to-ports 389
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 522 -j \
REDIRECT --to-ports 522
echo "Allowing EDonkey2k/Emule"
echo "See: http://www.emule-project.net/faq/ports.htm"
# should i use any -A FORWARD or PREROUTING here?
$IPTABLES -A OUTPUT -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 4661 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 4662 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4665 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 4665 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4672 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 4672 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
next reply other threads:[~2003-01-09 12:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-09 12:38 mdew [this message]
2003-01-09 13:38 ` New Script Arnt Karlsen
2003-01-09 15:06 ` Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1042115936.423.58.camel@nirvana \
--to=mdew@mdew.dyndns.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.