From: Arnt Karlsen <arnt@c2i.net>
To: netfilter@lists.netfilter.org
Subject: Re: New Script
Date: Thu, 9 Jan 2003 14:38:01 +0100 [thread overview]
Message-ID: <20030109143801.09b1f7cf.arnt@c2i.net> (raw)
In-Reply-To: <1042115936.423.58.camel@nirvana>
On 10 Jan 2003 01:38:56 +1300,
mdew <mdew@mdew.dyndns.org> wrote in message
<1042115936.423.58.camel@nirvana>:
> Ok, after taking a few samples from scripts in the mailing list, Ive
> come up with this...hopefully my edonkey problem has been solved with
> this script. I havent actually tested this yet, Probably tomorrow (its
> a bit late)
>
> current Router setup.
> (Internet) 210.54.175.12->eth0---Router--->eth1 10.0.0.6 -=> 10.0.0.x
>
>
>
> #!/bin/bash
>
> IPTABLES="/sbin/iptables"
> PAUL="10.0.0.9"
> echo "1" > /proc/sys/net/ipv4/ip_forward
..the open barn door. Echo 0 here, and 1 again
at the very end of this script.
> echo "Executing The Firwall..."
> echo ""
> echo -n "Loading Modules..."
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe ip_nat_irc
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ipt_state
> /sbin/modprobe ipt_limit
> /sbin/modprobe ipt_LOG
> echo -n "Done"
>
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> echo "Allow unlimited traffic on the loopback interface"
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> echo "Refusing spoofed packets pretending to be from your IP address"
> $IPTABLES -A INPUT -s 210.54.175.12 -j DROP
>
> echo "Allow SSH"
> # Is this correct?
> $IPTABLES -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A INPUT -i eth1 -p tcp --sport 22 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
> $IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
>
> echo "Allow ftp"
> $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
> ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
> -j ACCEPT
>
> echo "Active ftp"
> $IPTABLES -A INPUT -p tcp --sport 20 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
> ACCEPT
>
> echo "Passive ftp"
> $IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
> state--state ESTABLISHED -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
> state --state ESTABLISHED,RELATED -j ACCEPT
>
> echo "Allow DNS"
> $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
> $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
>
> echo "Allow SFTP"
> $IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT
>
> echo "Allow HTTP"
> $IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
>
> echo "Allow https"
> $IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
>
> echo "Rejecting all connections to 135:139"
> $IPTABLES -N NETBIOS
> $IPTABLES -A INPUT -p udp --sport 135:139 -j NETBIOS
> $IPTABLES -A INPUT -p tcp --sport 135:139 -j NETBIOS
> $IPTABLES -A INPUT -p udp --dport 135:139 -j NETBIOS
> $IPTABLES -A INPUT -p tcp --dport 135:139 -j NETBIOS
> $IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
> $IPTABLES -A NETBIOS -j DROP
>
> echo "Limit port 4665 traffic to PAUL"
> $IPTABLES -N PAULS_STUFF
> $IPTABLES -A FORWARD -p tcp -s $PAUL --dport 4665 -m limit --limit
> 1/hour -j PAULS_STUFF
> $IPTABLES -A FORWARD -p udp -s $PAUL --dport 4665 -m limit --limit
> 1/hour -j PAULS_STUFF
> $IPTABLES -A FORWARD -p udp -s $PAUL --sport 4665 -m limit --limit
> 1/hour -j PAULS_STUFF
> $IPTABLES -A FORWARD -p tcp -s $PAUL --sport 4665 -m limit --limit
> 1/hour -j PAULS_STUFF
> $IPTABLES -A PAULS_STUFF -j LOG --log-prefix "IPTABLES PAUL: "
> $IPTABLES -A PAULS_STUFF -j ACCEPT
>
> echo "Allowing SMTP"
> $IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT
>
> echo "Allowing POP3"
> $IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT
>
> echo "Allowing Ident"
> $IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
>
> echo "Allowing Netmeeting/MSN"
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j \
> REDIRECT --to-ports 1863
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 389 -j \
> REDIRECT --to-ports 389
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 522 -j \
> REDIRECT --to-ports 522
>
> echo "Allowing EDonkey2k/Emule"
> echo "See: http://www.emule-project.net/faq/ports.htm"
> # should i use any -A FORWARD or PREROUTING here?
> $IPTABLES -A OUTPUT -p tcp --dport 4661 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 4661 -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 4662 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 4662 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 4665 -j ACCEPT
> $IPTABLES -A INPUT -p udp --sport 4665 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 4672 -j ACCEPT
> $IPTABLES -A INPUT -p udp --sport 4672 -j ACCEPT
>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
>
>
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
next prev parent reply other threads:[~2003-01-09 13:38 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-09 12:38 New Script mdew
2003-01-09 13:38 ` Arnt Karlsen [this message]
2003-01-09 15:06 ` Anders Fugmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030109143801.09b1f7cf.arnt@c2i.net \
--to=arnt@c2i.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox