Created
April 1, 2011 12:23
-
-
Save nacx/898069 to your computer and use it in GitHub Desktop.
Iptables firewall for a personal computer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# This is an example iptables script to configure | |
# a firewall for a personal machine. | |
# | |
# It filters bad packets and bans the desired IP | |
# addresses, and allows remote connections to a | |
# controlled set of ports. | |
# | |
# Banned IPs file | |
BANFILE='/root/banned' | |
case "$1" in | |
start) | |
# Load connection tracking modules | |
modprobe ip_conntrack_ftp | |
modprobe ip_conntrack_irc | |
echo "Generating firewall rules..." | |
# Remove previous rules | |
iptables -F | |
iptables -X | |
iptables -Z | |
# Set default policies | |
iptables -P INPUT DROP | |
iptables -P OUTPUT ACCEPT | |
iptables -P FORWARD DROP | |
# Set the default flags | |
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects | |
# Create a chain to discard invalid packets | |
iptables -N PKT_FAKE | |
iptables -A PKT_FAKE -m state --state INVALID -j DROP | |
iptables -A PKT_FAKE -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP | |
iptables -A PKT_FAKE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
iptables -A PKT_FAKE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
iptables -A PKT_FAKE -p tcp ! --syn -m state --state NEW -j DROP | |
iptables -A PKT_FAKE -f -j DROP | |
iptables -A PKT_FAKE -j RETURN | |
# Create a chain to discard packets from banned IPs | |
if [ -f $BANFILE ]; then | |
iptables -N BANNED | |
for ip in `sort -ru $BANFILE`; do | |
iptables -A BANNED -s $ip -j DROP | |
done | |
iptables -A BANNED -j RETURN | |
fi | |
# Discard invalid packets and packets from banned IPs | |
iptables -A INPUT -i eth0 -j PKT_FAKE | |
iptables -A INPUT -i eth0 -m state --state NEW -j BANNED | |
# Accept loopback and already established connections | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow ICMP traffic | |
iptables -A INPUT -i eth0 -p icmp -j ACCEPT | |
# Allow access to the X server to a single machine (for remote X sessions) | |
iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 6001 -j ACCEPT | |
# Allow Samba access to a single machine | |
iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 139 -j ACCEPT | |
iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 445 -j ACCEPT | |
iptables -A INPUT -i eth0 -s 192.168.1.3 -p udp --dport 137:138 -j ACCEPT | |
# Open ports: SSH, Bittorrent, ed2k and IRC | |
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --dport 6891 -j ACCEPT | |
iptables -A INPUT -i eth0 -p tcp --dport 4500:4505 -j ACCEPT | |
;; | |
stop) | |
echo "Removing firewall rules..." | |
# Remove existing firewall rules | |
iptables -F | |
iptables -X | |
iptables -Z | |
# Set the default policies | |
iptables -P INPUT ACCEPT | |
iptables -P OUTPUT ACCEPT | |
iptables -P FORWARD DROP | |
;; | |
restart) | |
$0 stop | |
$0 start | |
;; | |
status) | |
iptables -nL | |
;; | |
*) | |
echo "Usage: $0 { start | stop | restart | status }" | |
;; | |
esac | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment