Created
August 5, 2015 18:11
-
-
Save egeste/780ef7fa540ddc7462be to your computer and use it in GitHub Desktop.
A generic iptables firewall for a personal workstation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Flush all existing rules | |
| iptables -F | |
| # Drop suspicious traffic | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| # Allow loopback/established | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Open specific ports | |
| iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| #iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | |
| #iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | |
| # Allow avahi/windows shit | |
| #iptables -A INPUT -p udp -m udp --dport 5353 -j ACCEPT | |
| # Chromecast | |
| #iptables -A INPUT -p tcp --dport 5556 -j ACCEPT | |
| #iptables -A INPUT -p tcp --dport 5558 -j ACCEPT | |
| # Allow UDP on all ephemeral ports for UPnP/SSDP | |
| #iptables -A INPUT -p udp --dport 32768:61000 -j ACCEPT | |
| # Drop everything else | |
| iptables -P INPUT DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment