nacx/Personal firewall

## Personal firewall
#!/bin/bash

#
# This is an example iptables script to configure
# a firewall for a personal machine.
#
# It filters bad packets and bans the desired IP
# addresses, and allows remote connections to a
# controlled set of ports.
#

# Banned IPs file
BANFILE='/root/banned'

case "$1" in
	start)
		# Load connection tracking modules
		modprobe ip_conntrack_ftp
		modprobe ip_conntrack_irc

		echo "Generating firewall rules..."

		# Remove previous rules
		iptables -F
		iptables -X
		iptables -Z

		# Set default policies
		iptables -P INPUT DROP
		iptables -P OUTPUT ACCEPT
		iptables -P FORWARD DROP

		# Set the default flags
		echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
		echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

		# Create a chain to discard invalid packets
		iptables -N PKT_FAKE
		iptables -A PKT_FAKE -m state --state INVALID -j DROP
		iptables -A PKT_FAKE -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
		iptables -A PKT_FAKE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
		iptables -A PKT_FAKE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
		iptables -A PKT_FAKE -p tcp ! --syn -m state --state NEW -j DROP
		iptables -A PKT_FAKE -f -j DROP
		iptables -A PKT_FAKE -j RETURN

		# Create a chain to discard packets from banned IPs
		if [ -f $BANFILE ]; then
			iptables -N BANNED
			for ip in `sort -ru $BANFILE`; do
				iptables -A BANNED -s $ip -j DROP
			done
			iptables -A BANNED -j RETURN
		fi

		# Discard invalid packets and packets from banned IPs
		iptables -A INPUT -i eth0 -j PKT_FAKE
		iptables -A INPUT -i eth0 -m state --state NEW -j BANNED

		# Accept loopback and already established connections
		iptables -A INPUT -i lo -j ACCEPT
		iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

		# Allow ICMP traffic
		iptables -A INPUT -i eth0 -p icmp -j ACCEPT

		# Allow access to the X server to a single machine (for remote X sessions)
		iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 6001 -j ACCEPT

		# Allow Samba access to a single machine
		iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 139 -j ACCEPT
		iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 445 -j ACCEPT
		iptables -A INPUT -i eth0 -s 192.168.1.3 -p udp --dport 137:138 -j ACCEPT

		# Open ports: SSH, Bittorrent, ed2k and IRC
		iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
		iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
		iptables -A INPUT -i eth0 -p tcp --dport 6891 -j ACCEPT
		iptables -A INPUT -i eth0 -p tcp --dport 4500:4505 -j ACCEPT
	;;
	stop)
		echo "Removing firewall rules..."

		# Remove existing firewall rules
		iptables -F
		iptables -X
		iptables -Z

		# Set the default policies
		iptables -P INPUT ACCEPT
		iptables -P OUTPUT ACCEPT
		iptables -P FORWARD DROP
	;;
	restart)
		$0 stop
		$0 start
	;;
	status)
		iptables -nL
	;;
	*)
		echo "Usage: $0 { start | stop | restart | status }"
	;;
esac

exit 0
	#!/bin/bash

	#
	# This is an example iptables script to configure
	# a firewall for a personal machine.
	#
	# It filters bad packets and bans the desired IP
	# addresses, and allows remote connections to a
	# controlled set of ports.
	#

	# Banned IPs file
	BANFILE='/root/banned'

	case "$1" in
	start)
	# Load connection tracking modules
	modprobe ip_conntrack_ftp
	modprobe ip_conntrack_irc

	echo "Generating firewall rules..."

	# Remove previous rules
	iptables -F
	iptables -X
	iptables -Z

	# Set default policies
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP

	# Set the default flags
	echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

	# Create a chain to discard invalid packets
	iptables -N PKT_FAKE
	iptables -A PKT_FAKE -m state --state INVALID -j DROP
	iptables -A PKT_FAKE -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
	iptables -A PKT_FAKE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	iptables -A PKT_FAKE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	iptables -A PKT_FAKE -p tcp ! --syn -m state --state NEW -j DROP
	iptables -A PKT_FAKE -f -j DROP
	iptables -A PKT_FAKE -j RETURN

	# Create a chain to discard packets from banned IPs
	if [ -f $BANFILE ]; then
	iptables -N BANNED
	for ip in `sort -ru $BANFILE`; do
	iptables -A BANNED -s $ip -j DROP
	done
	iptables -A BANNED -j RETURN
	fi

	# Discard invalid packets and packets from banned IPs
	iptables -A INPUT -i eth0 -j PKT_FAKE
	iptables -A INPUT -i eth0 -m state --state NEW -j BANNED

	# Accept loopback and already established connections
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow ICMP traffic
	iptables -A INPUT -i eth0 -p icmp -j ACCEPT

	# Allow access to the X server to a single machine (for remote X sessions)
	iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 6001 -j ACCEPT

	# Allow Samba access to a single machine
	iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 139 -j ACCEPT
	iptables -A INPUT -i eth0 -s 192.168.1.3 -p tcp --dport 445 -j ACCEPT
	iptables -A INPUT -i eth0 -s 192.168.1.3 -p udp --dport 137:138 -j ACCEPT

	# Open ports: SSH, Bittorrent, ed2k and IRC
	iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
	iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
	iptables -A INPUT -i eth0 -p tcp --dport 6891 -j ACCEPT
	iptables -A INPUT -i eth0 -p tcp --dport 4500:4505 -j ACCEPT
	;;
	stop)
	echo "Removing firewall rules..."

	# Remove existing firewall rules
	iptables -F
	iptables -X
	iptables -Z

	# Set the default policies
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD DROP
	;;
	restart)
	$0 stop
	$0 start
	;;
	status)
	iptables -nL
	;;
	*)
	echo "Usage: $0 { start \| stop \| restart \| status }"
	;;
	esac

	exit 0