#!/bin/bash
modprobe ip_conntrack_ftp
CONNECTION_TRACKING="1"
ACCEPT_AUTH="0"
SSH_SERVER="0"
FTP_SERVER="0"
WEB_SERVER="0"
SSL_SERVER="0"
DHCP_CLIENT="1"
INTERNET="eth0" # Internet-connected interface
LOOPBACK_INTERFACE="lo" # however your system names it
IPADDR="my.ip.address" # your IP address
SUBNET_BASE="network.address" # ISP network segment base address
SUBNET_BROADCAST="directed.broadcast" # network segment broadcast address
MY_ISP="my.isp.address.range" # ISP server & NOC address range
NAMESERVER="isp.name.server.1" # address of a remote name server
POP_SERVER="isp.pop.server" # address of a remote pop server
MAIL_SERVER="isp.mail.server" # address of a remote mail gateway
NEWS_SERVER="isp.news.server" # address of a remote news server
TIME_SERVER="some.timne.server" # address of a remote time server
DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
SSH_PORTS="1024:65535"
NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"
###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don¹t send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
###############################################################
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
# A bug that showed up as of the Red Hat 7.2 release results
# in the following 5 default policies breaking the firewall
# initialization:
# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP
# iptables -t mangle --policy PREROUTING DROP
# iptables -t mangle --policy OUTPUT DROP
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Using the state module alone, INVALID will break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP and is
# IRC are the only protocols with ALG support.
iptables -A INPUT -m state --state INVALID -j LOG /
--log-prefix "INVALID input: "
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j LOG /
--log-prefix "INVALID ouput: "
iptables -A OUTPUT -m state --state INVALID -j DROP
fi
###############################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface's IP address
iptables -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
iptables -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
iptables -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
iptables -A INPUT -i $INTERNET -s $CLASS_C -j DROP
# Refuse packets claiming to be from the loopback interface
iptables -A INPUT -i $INTERNET -s $LOOPBACK -j DROP
# Refuse malformed broadcast packets
iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG
iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG
iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP
if [ "$DHCP_CLIENT" = "0" ]; then
# Refuse directed broadcasts
# Used to map networks and in Denial of Service attacks
iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
# Refuse limited broadcasts
iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
fi
# Refuse Class D multicast addresses
# illegal as a source address
iptables -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT
# Refuse Class E reserved IP addresses
iptables -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
# refuse addresses defined as reserved by the IANA
# 0.*.*.* - Can¹t be blocked unilaterally with DHCP
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
if [ "$DHCP_CLIENT" = "1" ]; then
iptables -A INPUT -i $INTERNET -p udp /
-s $BROADCAST_SRC --sport 67 /
-d $BROADCAST_DEST --dport 68 -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###############################################################
# Disallowing Connections to Common TCP Unprivileged Server Ports
# X Window connection establishment
iptables -A OUTPUT -o $INTERNET -p tcp --syn /
--destination-port $XWINDOW_PORTS -j REJECT
# X Window: incoming connection attempt
iptables -A INPUT -i $INTERNET -p tcp --syn /
--destination-port $XWINDOW_PORTS -j DROP
# Establishing a connection over TCP to NFS, OpenWindows, SOCKS or squid
iptables -A OUTPUT -o $INTERNET -p tcp /
-m multiport --destination-port /
$NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT /
--syn -j REJECT
iptables -A INPUT -i $INTERNET -p tcp /
-m multiport --destination-port /
$NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT /
--syn -j DROP
###############################################################
# Disallowing Connections to Common UDP Unprivileged Server Ports
# NFS and lockd
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-m state --state NEW -j REJECT
iptables -A INPUT -i $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-m state --state NEW -j DROP
else
iptables -A OUTPUT -o $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-j REJECT
iptables -A INPUT -i $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-j DROP
fi
###############################################################
# DNS Name Server
# DNS Fowarding Name Server or client requests
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $NAMESERVER --sport 53 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# TCP is used for large responses
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
-s $NAMESERVER --sport 53 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# DNS Caching Name Server (local server to primary server)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport 53 /
-d $NAMESERVER --dport 53 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport 53 /
-d $NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $NAMESERVER --sport 53 /
-d $IPADDR --dport 53 -j ACCEPT
###############################################################
# Filtering the AUTH User Identification Service (TCP Port 113)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 113 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 113 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 113 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 /
-m state --state NEW -j ACCEPT
fi
if [ "$ACCEPT_AUTH" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 113 /
--dport $UNPRIVPORTS -j ACCEPT
else
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 -j REJECT --reject-with tcp-reset
fi
###############################################################
# Sending Mail to Any External Mail Server
# Use "-d $MAIL_SERVER" if an ISP mail gateway is used instead
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 25 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 25 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 25 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Retrieving Mail as a POP Client (TCP Port 110)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $POP_SERVER --dport 110 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $POP_SERVER --dport 110 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
-s $POP_SERVER --sport 110 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Accessing Usenet News Services (TCP NNTP Port 119)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NEWS_SERVER --dport 119 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NEWS_SERVER --dport 119 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
-s $NEWS_SERVER --sport 119 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# ssh (TCP Port 22)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $SSH_PORTS /
--dport 22 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $SSH_PORTS /
--dport 22 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--source-port 22 /
-d $IPADDR --dport $SSH_PORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSH_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $SSH_PORTS /
-d $IPADDR --dport 22 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $SSH_PORTS /
-d $IPADDR --dport 22 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 22 /
--dport $SSH_PORTS -j ACCEPT
fi
###############################################################
# ftp (TCP Ports 21, 20)
# Outgoing Local Client Requests to Remote Servers
# Outgoing Control Connection to Port 21
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 21 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 21 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 21 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
# Incoming Port Mode Data Channel Connection from Port 20
if [ "$CONNECTION_TRACKING" = "1" ]; then
# This rule is not necessary if the ip_conntrack_ftp
# module is used.
iptables -A INPUT -i $INTERNET -p tcp /
--sport 20 /
-d $IPADDR --dport $UNPRIVPORTS /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport 20 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 20 -j ACCEPT
# Outgoing Passive Mode Data Channel Connection Between Unprivileveg Ports
if [ "$CONNECTION_TRACKING" = "1" ]; then
# This rule is not necessary if the ip_conntrack_ftp
# module is used.
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport $UNPRIVPORTS /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$FTP_SERVER" = "1" ]; then
# Incoming Control Connection to Port 21
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 21 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 21 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 21 /
--dport $UNPRIVPORTS -j ACCEPT
# Outgoing Port Mode Data Channel Connection to Port 20
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport 20/
--dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport 20 /
--dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 20 -j ACCEPT
# Incoming Passive Mode Data Channel Connection Between Unprivileved Ports
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport $UNPRIVPORTS /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport $UNPRIVPORTS /
--dport $UNPRIVPORTS -j ACCEPT
fi
###############################################################
# HTTP Web Traffic (TCP Port 80)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 80 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 80 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$WEB_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 80 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 80 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 80 /
--dport $UNPRIVPORTS -j ACCEPT
fi
###############################################################
# SSL Web Traffic (TCP Port 443)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 443 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 443 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 443 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSL_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 443 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 443 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 443 /
--dport $UNPRIVPORTS -j ACCEPT
fi
###############################################################
# whois (TCP Port 43)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 43 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 43 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 43 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Accessing Remote Network Time Servers (UDP 123)
# Note: some client and servers use source port 123
# when querying a remote server on destination port 123.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $TIME_SERVER --dport 123 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $TIME_SERVER --dport 123 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $TIME_SERVER --sport 123 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Accessing Your ISP's DHCP Server (UDP Ports 67, 68)
# Some broadcast packets are explicitly ignored by the firewall.
# Others are dopped by the default policy.
# DHCP tests must precede broadcast-related rules, as DHCP relies
# on broadcast traffic initially.
if [ "$DHCP_CLIENT" = "1" ]; then
# Initialization or rebinding: No lease or Lease time expired.
iptables -A OUTPUT -o $INTERNET -p udp /
-s $BROADCAST_SRC --sport 68 /
-d $BROADCAST_DEST --dport 67 -j ACCEPT
# Incoming DHCPOFFER from available DHCP servers
iptables -A INPUT -i $INTERNET -p udp /
-s $BROADCAST_SRC --sport 67 /
-d $BROADCAST_DEST --dport 68 -j ACCEPT
# Fall back to initialization
# The client knows its server, but has either lost its lease,
# or else needs to reconfirm the IP address after rebooting.
iptables -A OUTPUT -o $INTERNET -p udp /
-s $BROADCAST_SRC --sport 68 /
-d $DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $DHCP_SERVER --sport 67 /
-d $BROADCAST_DEST --dport 68 -j ACCEPT
# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new
# address before the dhcp client has received the update.
# Depending on the server implementation, the destination address
# can be the new IP address, the subnet address, or the limited
# broadcast address.
# If the network subnet address is used as the destination,
# the next rule must allow incoming packets destined to the
# subnet address, and the rule must preceed any general rules
# that block such incoming broadcast packets.
iptables -A INPUT -i $INTERNET -p udp /
-s $DHCP_SERVER --sport 67 /
--dport 68 -j ACCEPT
# Lease renewal
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport 68 /
-d $DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $DHCP_SERVER --sport 67 /
-d $IPADDR --dport 68 -j ACCEPT
# Refuse directed broadcasts
# Used to map networks and in Denial of Service attacks
iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
# Refuse limited broadcasts
iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
fi
###############################################################
# ICMP Control and Status Messages
# Log and drop initial ICMP fragments
iptables -A INPUT -i $INTERNET --fragment -p icmp -j LOG /
--log-prefix "Fragmented incoming ICMP: "
iptables -A INPUT -i $INTERNET --fragment -p icmp -j DROP
iptables -A OUTPUT -o $INTERNET --fragment -p icmp -j LOG /
--log-prefix "Fragmented outgoing ICMP: "
iptables -A OUTPUT -o $INTERNET --fragment -p icmp -j DROP
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type source-quench -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type parameter-problem -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type destination-unreachable -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
# Don¹t log dropped outgoing ICMP error messages
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type destination-unreachable -j DROP
# Intermediate traceroute responses
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type time-exceeded -d $IPADDR -j ACCEPT
# allow outgoing pings to anywhere
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type echo-request /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type echo-reply -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p icmp /
-s $MY_ISP --icmp-type echo-request -d $IPADDR /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p icmp /
-s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT
###############################################################
# Logging Dropped Packets
# Don't log dropped incoming echo-requests
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type ! 8 -d $IPADDR -j LOG
iptables -A INPUT -i $INTERNET -p tcp /
-d $IPADDR -j LOG
iptables -A OUTPUT -o $INTERNET -j LOG
exit 0
modprobe ip_conntrack_ftp
CONNECTION_TRACKING="1"
ACCEPT_AUTH="0"
SSH_SERVER="0"
FTP_SERVER="0"
WEB_SERVER="0"
SSL_SERVER="0"
DHCP_CLIENT="1"
INTERNET="eth0" # Internet-connected interface
LOOPBACK_INTERFACE="lo" # however your system names it
IPADDR="my.ip.address" # your IP address
SUBNET_BASE="network.address" # ISP network segment base address
SUBNET_BROADCAST="directed.broadcast" # network segment broadcast address
MY_ISP="my.isp.address.range" # ISP server & NOC address range
NAMESERVER="isp.name.server.1" # address of a remote name server
POP_SERVER="isp.pop.server" # address of a remote pop server
MAIL_SERVER="isp.mail.server" # address of a remote mail gateway
NEWS_SERVER="isp.news.server" # address of a remote news server
TIME_SERVER="some.timne.server" # address of a remote time server
DHCP_SERVER="isp.dhcp.server" # address of your ISP dhcp server
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
SSH_PORTS="1024:65535"
NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"
###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don¹t send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
###############################################################
# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
# A bug that showed up as of the Red Hat 7.2 release results
# in the following 5 default policies breaking the firewall
# initialization:
# iptables -t nat --policy PREROUTING DROP
# iptables -t nat --policy OUTPUT DROP
# iptables -t nat --policy POSTROUTING DROP
# iptables -t mangle --policy PREROUTING DROP
# iptables -t mangle --policy OUTPUT DROP
# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Using Connection State to By-pass Rule Checking
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Using the state module alone, INVALID will break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP and is
# IRC are the only protocols with ALG support.
iptables -A INPUT -m state --state INVALID -j LOG /
--log-prefix "INVALID input: "
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j LOG /
--log-prefix "INVALID ouput: "
iptables -A OUTPUT -m state --state INVALID -j DROP
fi
###############################################################
# Source Address Spoofing and Other Bad Addresses
# Refuse spoofed packets pretending to be from
# the external interface's IP address
iptables -A INPUT -i $INTERNET -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network
iptables -A INPUT -i $INTERNET -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network
iptables -A INPUT -i $INTERNET -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network
iptables -A INPUT -i $INTERNET -s $CLASS_C -j DROP
# Refuse packets claiming to be from the loopback interface
iptables -A INPUT -i $INTERNET -s $LOOPBACK -j DROP
# Refuse malformed broadcast packets
iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG
iptables -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j LOG
iptables -A INPUT -i $INTERNET -d $BROADCAST_SRC -j DROP
if [ "$DHCP_CLIENT" = "0" ]; then
# Refuse directed broadcasts
# Used to map networks and in Denial of Service attacks
iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
# Refuse limited broadcasts
iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
fi
# Refuse Class D multicast addresses
# illegal as a source address
iptables -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $INTERNET -p ! udp -d $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i $INTERNET -p udp -d $CLASS_D_MULTICAST -j ACCEPT
# Refuse Class E reserved IP addresses
iptables -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
# refuse addresses defined as reserved by the IANA
# 0.*.*.* - Can¹t be blocked unilaterally with DHCP
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
if [ "$DHCP_CLIENT" = "1" ]; then
iptables -A INPUT -i $INTERNET -p udp /
-s $BROADCAST_SRC --sport 67 /
-d $BROADCAST_DEST --dport 68 -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
###############################################################
# Disallowing Connections to Common TCP Unprivileged Server Ports
# X Window connection establishment
iptables -A OUTPUT -o $INTERNET -p tcp --syn /
--destination-port $XWINDOW_PORTS -j REJECT
# X Window: incoming connection attempt
iptables -A INPUT -i $INTERNET -p tcp --syn /
--destination-port $XWINDOW_PORTS -j DROP
# Establishing a connection over TCP to NFS, OpenWindows, SOCKS or squid
iptables -A OUTPUT -o $INTERNET -p tcp /
-m multiport --destination-port /
$NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT /
--syn -j REJECT
iptables -A INPUT -i $INTERNET -p tcp /
-m multiport --destination-port /
$NFS_PORT,$OPENWINDOWS_PORT,$SOCKS_PORT,$SQUID_PORT /
--syn -j DROP
###############################################################
# Disallowing Connections to Common UDP Unprivileged Server Ports
# NFS and lockd
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-m state --state NEW -j REJECT
iptables -A INPUT -i $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-m state --state NEW -j DROP
else
iptables -A OUTPUT -o $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-j REJECT
iptables -A INPUT -i $INTERNET -p udp /
-m multiport --destination-port $NFS_PORT,$LOCKD_PORT /
-j DROP
fi
###############################################################
# DNS Name Server
# DNS Fowarding Name Server or client requests
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $NAMESERVER --sport 53 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# TCP is used for large responses
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
-s $NAMESERVER --sport 53 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# DNS Caching Name Server (local server to primary server)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport 53 /
-d $NAMESERVER --dport 53 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport 53 /
-d $NAMESERVER --dport 53 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $NAMESERVER --sport 53 /
-d $IPADDR --dport 53 -j ACCEPT
###############################################################
# Filtering the AUTH User Identification Service (TCP Port 113)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 113 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 113 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 113 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 /
-m state --state NEW -j ACCEPT
fi
if [ "$ACCEPT_AUTH" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 113 /
--dport $UNPRIVPORTS -j ACCEPT
else
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 113 -j REJECT --reject-with tcp-reset
fi
###############################################################
# Sending Mail to Any External Mail Server
# Use "-d $MAIL_SERVER" if an ISP mail gateway is used instead
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 25 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 25 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 25 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Retrieving Mail as a POP Client (TCP Port 110)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $POP_SERVER --dport 110 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $POP_SERVER --dport 110 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
-s $POP_SERVER --sport 110 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Accessing Usenet News Services (TCP NNTP Port 119)
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NEWS_SERVER --dport 119 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $NEWS_SERVER --dport 119 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
-s $NEWS_SERVER --sport 119 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# ssh (TCP Port 22)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $SSH_PORTS /
--dport 22 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $SSH_PORTS /
--dport 22 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--source-port 22 /
-d $IPADDR --dport $SSH_PORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSH_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $SSH_PORTS /
-d $IPADDR --dport 22 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $SSH_PORTS /
-d $IPADDR --dport 22 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 22 /
--dport $SSH_PORTS -j ACCEPT
fi
###############################################################
# ftp (TCP Ports 21, 20)
# Outgoing Local Client Requests to Remote Servers
# Outgoing Control Connection to Port 21
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 21 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 21 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 21 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
# Incoming Port Mode Data Channel Connection from Port 20
if [ "$CONNECTION_TRACKING" = "1" ]; then
# This rule is not necessary if the ip_conntrack_ftp
# module is used.
iptables -A INPUT -i $INTERNET -p tcp /
--sport 20 /
-d $IPADDR --dport $UNPRIVPORTS /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport 20 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 20 -j ACCEPT
# Outgoing Passive Mode Data Channel Connection Between Unprivileveg Ports
if [ "$CONNECTION_TRACKING" = "1" ]; then
# This rule is not necessary if the ip_conntrack_ftp
# module is used.
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport $UNPRIVPORTS /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$FTP_SERVER" = "1" ]; then
# Incoming Control Connection to Port 21
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 21 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 21 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 21 /
--dport $UNPRIVPORTS -j ACCEPT
# Outgoing Port Mode Data Channel Connection to Port 20
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport 20/
--dport $UNPRIVPORTS -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport 20 /
--dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 20 -j ACCEPT
# Incoming Passive Mode Data Channel Connection Between Unprivileved Ports
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport $UNPRIVPORTS /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport $UNPRIVPORTS /
--dport $UNPRIVPORTS -j ACCEPT
fi
###############################################################
# HTTP Web Traffic (TCP Port 80)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 80 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 80 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 80 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$WEB_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 80 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 80 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 80 /
--dport $UNPRIVPORTS -j ACCEPT
fi
###############################################################
# SSL Web Traffic (TCP Port 443)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 443 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 443 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 443 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
#...............................................................
# Incoming Remote Client Requests to Local Servers
if [ "$SSL_SERVER" = "1" ]; then
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 443 /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p tcp /
--sport $UNPRIVPORTS /
-d $IPADDR --dport 443 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn /
-s $IPADDR --sport 443 /
--dport $UNPRIVPORTS -j ACCEPT
fi
###############################################################
# whois (TCP Port 43)
# Outgoing Local Client Requests to Remote Servers
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 43 -m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p tcp /
-s $IPADDR --sport $UNPRIVPORTS /
--dport 43 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn /
--sport 43 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Accessing Remote Network Time Servers (UDP 123)
# Note: some client and servers use source port 123
# when querying a remote server on destination port 123.
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $TIME_SERVER --dport 123 /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport $UNPRIVPORTS /
-d $TIME_SERVER --dport 123 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $TIME_SERVER --sport 123 /
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT
###############################################################
# Accessing Your ISP's DHCP Server (UDP Ports 67, 68)
# Some broadcast packets are explicitly ignored by the firewall.
# Others are dopped by the default policy.
# DHCP tests must precede broadcast-related rules, as DHCP relies
# on broadcast traffic initially.
if [ "$DHCP_CLIENT" = "1" ]; then
# Initialization or rebinding: No lease or Lease time expired.
iptables -A OUTPUT -o $INTERNET -p udp /
-s $BROADCAST_SRC --sport 68 /
-d $BROADCAST_DEST --dport 67 -j ACCEPT
# Incoming DHCPOFFER from available DHCP servers
iptables -A INPUT -i $INTERNET -p udp /
-s $BROADCAST_SRC --sport 67 /
-d $BROADCAST_DEST --dport 68 -j ACCEPT
# Fall back to initialization
# The client knows its server, but has either lost its lease,
# or else needs to reconfirm the IP address after rebooting.
iptables -A OUTPUT -o $INTERNET -p udp /
-s $BROADCAST_SRC --sport 68 /
-d $DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $DHCP_SERVER --sport 67 /
-d $BROADCAST_DEST --dport 68 -j ACCEPT
# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new
# address before the dhcp client has received the update.
# Depending on the server implementation, the destination address
# can be the new IP address, the subnet address, or the limited
# broadcast address.
# If the network subnet address is used as the destination,
# the next rule must allow incoming packets destined to the
# subnet address, and the rule must preceed any general rules
# that block such incoming broadcast packets.
iptables -A INPUT -i $INTERNET -p udp /
-s $DHCP_SERVER --sport 67 /
--dport 68 -j ACCEPT
# Lease renewal
iptables -A OUTPUT -o $INTERNET -p udp /
-s $IPADDR --sport 68 /
-d $DHCP_SERVER --dport 67 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp /
-s $DHCP_SERVER --sport 67 /
-d $IPADDR --dport 68 -j ACCEPT
# Refuse directed broadcasts
# Used to map networks and in Denial of Service attacks
iptables -A INPUT -i $INTERNET -d $SUBNET_BASE -j DROP
iptables -A INPUT -i $INTERNET -d $SUBNET_BROADCAST -j DROP
# Refuse limited broadcasts
iptables -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP
fi
###############################################################
# ICMP Control and Status Messages
# Log and drop initial ICMP fragments
iptables -A INPUT -i $INTERNET --fragment -p icmp -j LOG /
--log-prefix "Fragmented incoming ICMP: "
iptables -A INPUT -i $INTERNET --fragment -p icmp -j DROP
iptables -A OUTPUT -o $INTERNET --fragment -p icmp -j LOG /
--log-prefix "Fragmented outgoing ICMP: "
iptables -A OUTPUT -o $INTERNET --fragment -p icmp -j DROP
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type source-quench -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type parameter-problem -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type destination-unreachable -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
# Don¹t log dropped outgoing ICMP error messages
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type destination-unreachable -j DROP
# Intermediate traceroute responses
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type time-exceeded -d $IPADDR -j ACCEPT
# allow outgoing pings to anywhere
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type echo-request /
-m state --state NEW -j ACCEPT
fi
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type echo-reply -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts
if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A INPUT -i $INTERNET -p icmp /
-s $MY_ISP --icmp-type echo-request -d $IPADDR /
-m state --state NEW -j ACCEPT
fi
iptables -A INPUT -i $INTERNET -p icmp /
-s $MY_ISP --icmp-type echo-request -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p icmp /
-s $IPADDR --icmp-type echo-reply -d $MY_ISP -j ACCEPT
###############################################################
# Logging Dropped Packets
# Don't log dropped incoming echo-requests
iptables -A INPUT -i $INTERNET -p icmp /
--icmp-type ! 8 -d $IPADDR -j LOG
iptables -A INPUT -i $INTERNET -p tcp /
-d $IPADDR -j LOG
iptables -A OUTPUT -o $INTERNET -j LOG
exit 0