eivanhoe/firewall-paul.sh

## firewall-paul.sh
#!/bin/bash

IPT="/sbin/iptables"

INVALID_TCP_PORTS="32768:32775,137:139,111,115"
INVALID_UDP_PORTS="32768:32775,137:139,111,115"
HIGH_PORTS="1025:65535"
FIREWALL_PATH=""
INET_ADDR=""
INET_DEV=""
ENET_ADDR=""
ENET_DEV=""
TCP_SERVICES=""
UDP_SERVICES=""
ICMP_SERVICES=""

# Clear existing rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Delete pre-defined rules
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Default Policy
$IPT -p INPUT DROP
$IPT -p OUTPUT DROP
$IPT -p FORWARD DROP

# Do not accept any packets with a source address from the outside
# matching your internal Network
$IPT -A FORWARD -i $ENET_DEV -d $INET_ADDR -j DROP

# Reject inbound SYN packets
$IPT -A FORWARD -p tcp -m multiport --dports HIGH_PORTS --syn -j DROP

# Accept fragments
$IPT -A FORWARD -p tcp --fragment -j ACCEPT
$IPT -A FORWARD -p udp --fragment -j ACCEPT

# For FTP and SSH services, set control cnnnections to "Minimum Delay"
# and FTP data to "Maximum Throughput"
$IPT -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimie-Delay
$IPT -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
$IPT -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput

# Drop all TCP packets with the SYN and FIN bit set
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP

# Do not allow Telnet packets at all
$IPT -A FORWARD -p tcp --sport 23 -j DROP
$IPT -A FORWARD -p tcp --dport 23 -j DROP

# Block all external traffic directed to ports 32768 - 32775,
# 137-139, TCP ports 111 and 515
$IPT -A FORWARD -i $ENET_DEV -p tcp -m multiport --dports $INVALID_TCP_PORTS -j DROP
$IPT -A FORWARD -i $ENET_DEV -p udp -m multiport --dports $INVALID_TCP_PORTS -j DROP
	#!/bin/bash

	IPT="/sbin/iptables"

	INVALID_TCP_PORTS="32768:32775,137:139,111,115"
	INVALID_UDP_PORTS="32768:32775,137:139,111,115"
	HIGH_PORTS="1025:65535"
	FIREWALL_PATH=""
	INET_ADDR=""
	INET_DEV=""
	ENET_ADDR=""
	ENET_DEV=""
	TCP_SERVICES=""
	UDP_SERVICES=""
	ICMP_SERVICES=""

	# Clear existing rules
	$IPT -F
	$IPT -t nat -F
	$IPT -t mangle -F

	# Delete pre-defined rules
	$IPT -X
	$IPT -t nat -X
	$IPT -t mangle -X

	# Default Policy
	$IPT -p INPUT DROP
	$IPT -p OUTPUT DROP
	$IPT -p FORWARD DROP

	# Do not accept any packets with a source address from the outside
	# matching your internal Network
	$IPT -A FORWARD -i $ENET_DEV -d $INET_ADDR -j DROP

	# Reject inbound SYN packets
	$IPT -A FORWARD -p tcp -m multiport --dports HIGH_PORTS --syn -j DROP

	# Accept fragments
	$IPT -A FORWARD -p tcp --fragment -j ACCEPT
	$IPT -A FORWARD -p udp --fragment -j ACCEPT

	# For FTP and SSH services, set control cnnnections to "Minimum Delay"
	# and FTP data to "Maximum Throughput"
	$IPT -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimie-Delay
	$IPT -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
	$IPT -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput

	# Drop all TCP packets with the SYN and FIN bit set
	$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
	$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP

	# Do not allow Telnet packets at all
	$IPT -A FORWARD -p tcp --sport 23 -j DROP
	$IPT -A FORWARD -p tcp --dport 23 -j DROP

	# Block all external traffic directed to ports 32768 - 32775,
	# 137-139, TCP ports 111 and 515
	$IPT -A FORWARD -i $ENET_DEV -p tcp -m multiport --dports $INVALID_TCP_PORTS -j DROP
	$IPT -A FORWARD -i $ENET_DEV -p udp -m multiport --dports $INVALID_TCP_PORTS -j DROP