Created
January 29, 2011 08:45
-
-
Save slillibri/801684 to your computer and use it in GitHub Desktop.
A basic iptables rules setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Make some new chains (should be self explanatory) | |
/sbin/iptables -N bad_tcp_packets | |
/sbin/iptables -N allowed | |
/sbin/iptables -N tcp_packets | |
/sbin/iptables -N udp_packets | |
/sbin/iptables -N icmp_packets | |
## Drop bad packets | |
/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset | |
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" | |
/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP | |
## Set up allowed chain, this is were accepted packets will jump | |
/sbin/iptables -A allowed -p TCP --syn -j ACCEPT | |
/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT | |
/sbin/iptables -A allowed -p TCP -j DROP | |
## Setup some rules for the tcp_packets chain. Generally all rules in this chain will jump to allowed | |
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed | |
/sbin/iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed | |
## Do the same for udp, and icmp chains | |
## Start adding new chains to the INPUT chain | |
## Replace a.b.c.d with your internet address | |
/sbin/iptables -A INPUT -p tcp -j bad_tcp_packets | |
/sbin/iptables -A OUTPUT -p tcp -j bad_tcp_packets | |
/sbin/iptables -A FORWARD -p tcp -j bad_tcp_packets | |
/sbin/iptables -A INPUT -p ALL -d a.b.c.d -m state --state ESTABLISHED,RELATED -j ACCEPT | |
/sbin/iptables -A INPUT -p TCP -i eth0 -j tcp_packets | |
/sbin/iptables -A INPUT -p ICMP -i eth0 -j icmp_packets | |
/sbin/iptables -A INPUT -p UDP -i eth0 -j udp_packets | |
## Allow outbound traffic, replace a.b.c.d with your internet address | |
/sbin/iptables -A OUTPUT -p ALL -s a.b.c.d -j ACCEPT | |
## Setup logging (with limits) before the packet falls of the end | |
/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " | |
/sbin/iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " | |
/sbin/iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " | |
## Postrouting masquerading rule. Make sure /proc/sys/net/ipv4/ip_forward = 1 | |
## Replace a.b.c.d with your internet address | |
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source a.b.c.d | |
## Set the default policy to DROP. Anything not jumped through to allowed will drop | |
/sbin/iptables -P INPUT DROP | |
/sbin/iptables -P OUTPUT DROP | |
/sbin/iptables -P FORWARD DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment