Last active
February 4, 2017 19:45
-
-
Save eivanhoe/161ab7a8cdde931fe4455a587fe77e05 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
IPT="/sbin/iptables" | |
INVALID_TCP_PORTS="32768:32775,137:139,111,115" | |
INVALID_UDP_PORTS="32768:32775,137:139,111,115" | |
HIGH_PORTS="1025:65535" | |
FIREWALL_PATH="" | |
INET_ADDR="" | |
INET_DEV="" | |
ENET_ADDR="" | |
ENET_DEV="" | |
TCP_SERVICES="" | |
UDP_SERVICES="" | |
ICMP_SERVICES="" | |
# Clear existing rules | |
$IPT -F | |
$IPT -t nat -F | |
$IPT -t mangle -F | |
# Delete pre-defined rules | |
$IPT -X | |
$IPT -t nat -X | |
$IPT -t mangle -X | |
# Default Policy | |
$IPT -p INPUT DROP | |
$IPT -p OUTPUT DROP | |
$IPT -p FORWARD DROP | |
# Do not accept any packets with a source address from the outside | |
# matching your internal Network | |
$IPT -A FORWARD -i $ENET_DEV -d $INET_ADDR -j DROP | |
# Reject inbound SYN packets | |
$IPT -A FORWARD -p tcp -m multiport --dports HIGH_PORTS --syn -j DROP | |
# Accept fragments | |
$IPT -A FORWARD -p tcp --fragment -j ACCEPT | |
$IPT -A FORWARD -p udp --fragment -j ACCEPT | |
# For FTP and SSH services, set control cnnnections to "Minimum Delay" | |
# and FTP data to "Maximum Throughput" | |
$IPT -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimie-Delay | |
$IPT -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay | |
$IPT -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput | |
# Drop all TCP packets with the SYN and FIN bit set | |
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP | |
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP | |
# Do not allow Telnet packets at all | |
$IPT -A FORWARD -p tcp --sport 23 -j DROP | |
$IPT -A FORWARD -p tcp --dport 23 -j DROP | |
# Block all external traffic directed to ports 32768 - 32775, | |
# 137-139, TCP ports 111 and 515 | |
$IPT -A FORWARD -i $ENET_DEV -p tcp -m multiport --dports $INVALID_TCP_PORTS -j DROP | |
$IPT -A FORWARD -i $ENET_DEV -p udp -m multiport --dports $INVALID_TCP_PORTS -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment