Skip to content

Instantly share code, notes, and snippets.

@rafzei

rafzei/example_firewall_config.sh

Created March 13, 2018 09:35
Show Gist options
  • Save rafzei/dad21b826044c2cc82a6a2009b6c1c1c to your computer and use it in GitHub Desktop.
Save rafzei/dad21b826044c2cc82a6a2009b6c1c1c to your computer and use it in GitHub Desktop.
Download ZIP
Firewall config (example)
Raw
example_firewall_config.sh
#!/bin/bash
IPT="/sbin/iptables"
INT_INTERFACE="eth0"
LOO_INTERFACE="lo"
IPADDR=""
SUBNET_BASE=""
SUBNET_BROADCAST=""
MY_ISP=""
LOOPBACK="127.0.0.1/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
BROADCAST_SRC="0.0.0.0"BROADCAST_DECT="255.255.255.255"
PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:65525"
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
USER_CHAINS="EXT_input EXT_output"
# Enable ignore brodcast echo
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source route
for i in /proc/sys/net/ipc4/conf/*/accept_source_route; do
echo 0 > $i
done
# Enable tcp syn cookies security
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable accept ICMP redirect
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $i
done
# Disable redirect sygnals
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $i
done
###########################################################################################################
$IPT --flush
$IPT --t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# Unlimited trafic on loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -i lo -j ACCEPT
# Set default policy to drop connections
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
# Create chains defined by user
for i in $USER_CHAINS; do
$IPT -N $i
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment