[SATLUG] IPTABLES help
Ed Coates
edcoates at gmail.com
Sun Mar 18 12:11:35 CDT 2007
On 3/18/07, Bruce Dubbs <bruce.dubbs at gmail.com> wrote:
> Ed Coates wrote:
>
> You don't give your entire script. You are obviously doing NAT and we
> can't see what else you are doing.
>
> I suspect you may get what you want if you block INPUT, but I wonder why
> you want to block everything that way. Wouldn't it be easier to just
> disconnect the computer at the physical layer. That is, unplug the
> ethernet cable or disable a wireless interface?
>
> -- Bruce
It's more of a "I want to learn how to do it," than anything else. :)
I know that I can get up and physically remove the USB nic, but it's
a pain since the USB ports are in the back of the machine.
Here is my current iptables firewall script:
#
# Start IP Forwarding
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#setup some constants
OUTERIF=eth0
REMOTENET=0/0
OUTERIP=`ifconfig $OUTERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
OUTERMASK=`ifconfig $OUTERIF | grep Mas | cut -d : -f 4`
OUTERNET=$OUTERIP/$OUTERMASK
INTERNALIF=eth1
INTERNALIP=`ifconfig $INTERNALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
INTERNALMASK=`ifconfig $INTERNALIF | grep Mas | cut -d : -f 4`
INTERNALNET=$INTERNALIP/$INTERNALMASK
IPTABLES=/sbin/iptables
#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "started connection tracking"
${IPTABLES} -t filter -N ILOG_DROP
${IPTABLES} -t filter -A ILOG_DROP -j ULOG --ulog-nlgroup 1
--ulog-prefix INPUT_DROP
${IPTABLES} -t filter -A ILOG_DROP -j LOG --log-prefix INPUT_DROP
${IPTABLES} -t filter -A ILOG_DROP -j DROP
${IPTABLES} -t filter -N TAIWAN_DROP
${IPTABLES} -t filter -A TAIWAN_DROP -j ULOG --ulog-nlgroup 1
--ulog-prefix TAIWAN_DROP
${IPTABLES} -t filter -A TAIWAN_DROP -j LOG --log-prefix TAIWAN_DROP
${IPTABLES} -t filter -A TAIWAN_DROP -j DROP
${IPTABLES} -t nat -N LOG_DROP
${IPTABLES} -t nat -A LOG_DROP -j LOG --log-prefix NAT_DROP
${IPTABLES} -t nat -A LOG_DROP -j DROP
${IPTABLES} -t filter -N OLOG_DROP
${IPTABLES} -t filter -A OLOG_DROP -j ULOG --ulog-nlgroup 1
--ulog-prefix OUTPUT_DROP
${IPTABLES} -t filter -A OLOG_DROP -j LOG --log-prefix OUTPUT_DROP
${IPTABLES} -t filter -A OLOG_DROP -j DROP
${IPTABLES} -t filter -N FLOG_DROP
${IPTABLES} -t filter -A FLOG_DROP -j ULOG --ulog-nlgroup 1
--ulog-prefix FORWARD_DROP
${IPTABLES} -t filter -A FLOG_DROP -j LOG --log-prefix FORWARD_DROP
${IPTABLES} -t filter -A FLOG_DROP -j DROP
${IPTABLES} -t filter -N ADLOG_DROP
${IPTABLES} -t filter -A ADLOG_DROP -j ULOG --ulog-nlgroup 1
--ulog-prefix ADVERT_DROP
${IPTABLES} -t filter -A ADLOG_DROP -j LOG --log-prefix ADVERT_DROP
${IPTABLES} -t filter -A ADLOG_DROP -j DROP
${IPTABLES} -t filter -N DLINK
${IPTABLES} -t filter -A DLINK -j ULOG --ulog-nlgroup 1 --ulog-prefix DLINK
${IPTABLES} -t filter -A DLINK -j LOG --log-prefix DLINK
${IPTABLES} -t filter -A DLINK -j ACCEPT
${IPTABLES} -t filter -N SSH_DROP
${IPTABLES} -t filter -A SSH_DROP -j ULOG --ulog-nlgroup 1
--ulog-prefix SSH_DROP
${IPTABLES} -t filter -A SSH_DROP -j LOG --log-prefix SSH_DROP
${IPTABLES} -t filter -A SSH_DROP -j DROP
#individual port forwarding
#
# AMPR
#
${IPTABLES} -A PREROUTING -t nat -s 128.54.16.18 -j DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -s 71.29.221.62 -j DNAT --to 192.168.2.6
${IPTABLES} -A PREROUTING -t nat -p 4 -i $OUTERIF -j DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -p 40 -i $OUTERIF -j DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -p 93 -i $OUTERIF -j DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -p 94 -i $OUTERIF -j DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 23 -j DNAT
--to 192.168.2.9:23
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 25 -j DNAT
--to 192.168.2.9:25
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 80 -j DNAT
--to 192.168.2.9:80
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 81 -j DNAT
--to 192.168.2.9:81
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8080 -j
DNAT --to 192.168.2.12:80
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 443 -j
DNAT --to 192.168.2.9:443
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 443 -j
DNAT --to 192.168.2.9:443
#KAZAA
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 1746 -j
DNAT --to 192.168.2.6:1746
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 1214 -j
DNAT --to 192.168.2.6:1214
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 2317 -j
DNAT --to 192.168.2.9:2317
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 3306 -j
DNAT --to 192.168.2.9:3306
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 3144 -j
DNAT --to 192.168.2.9:3144
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 3144 -j
DNAT --to 192.168.2.9:3144
#Ports for Delta Force
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 3568 -j
DNAT --to 192.168.2.6:3568
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 3569 -j
DNAT --to 192.168.2.6:3569
#Port for Fluid Stream
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 4711 -j
DNAT --to 192.168.2.9:4711
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 4711 -j
DNAT --to 192.168.2.9:4711
#Ports for FICS
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5000 -j
DNAT --to 192.168.2.3:5000
#Ports for Echolink
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5198 -j
DNAT --to 192.168.2.9:5198
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5199 -j
DNAT --to 192.168.2.9:5199
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5200 -j
DNAT --to 192.168.2.9:5200
#Ports for MUTELLA
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6346 -j
DNAT --to 192.168.2.9:6346
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6347 -j
DNAT --to 192.168.2.9:6347
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6348 -j
DNAT --to 192.168.2.9:6348
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --sport 6346 -j
DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --sport 6347 -j
DNAT --to 192.168.2.9
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --sport 6348 -j
DNAT --to 192.168.2.9
# Ports for LIMEWIRE
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 30592 -j
DNAT --to 192.168.2.9:30592
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 30592 -j
DNAT --to 192.168.2.9:30592
# Ports for Bit Torrent
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6881 -j
DNAT --to 192.168.2.9:6881
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6881 -j
DNAT --to 192.168.2.9:6881
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6882 -j
DNAT --to 192.168.2.9:6882
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6882 -j
DNAT --to 192.168.2.9:6882
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6883 -j
DNAT --to 192.168.2.9:6883
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6883 -j
DNAT --to 192.168.2.9:6883
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6884 -j
DNAT --to 192.168.2.9:6884
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6884 -j
DNAT --to 192.168.2.9:6884
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6885 -j
DNAT --to 192.168.2.9:6885
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6885 -j
DNAT --to 192.168.2.9:6885
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6886 -j
DNAT --to 192.168.2.9:6886
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6886 -j
DNAT --to 192.168.2.9:6886
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6887 -j
DNAT --to 192.168.2.9:6887
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6887 -j
DNAT --to 192.168.2.9:6887
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6888 -j
DNAT --to 192.168.2.9:6888
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6888 -j
DNAT --to 192.168.2.9:6888
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6889 -j
DNAT --to 192.168.2.9:6889
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6889 -j
DNAT --to 192.168.2.9:6889
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6890 -j
DNAT --to 192.168.2.9:6890
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6890 -j
DNAT --to 192.168.2.9:6890
#Ports for MSN
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6891 -j
DNAT --to 192.168.2.6:6891
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6892 -j
DNAT --to 192.168.2.6:6892
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6893 -j
DNAT --to 192.168.2.6:6893
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6894 -j
DNAT --to 192.168.2.6:6894
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6895 -j
DNAT --to 192.168.2.6:6895
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6896 -j
DNAT --to 192.168.2.6:6896
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6897 -j
DNAT --to 192.168.2.6:6897
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6898 -j
DNAT --to 192.168.2.6:6898
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6899 -j
DNAT --to 192.168.2.6:6899
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6900 -j
DNAT --to 192.168.2.6:6900
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6901 -j
DNAT --to 192.168.2.6:6901
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 6901 -j
DNAT --to 192.168.2.6:6901
# Ports for Jabber
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 1234 -j
DNAT --to 192.168.2.9:1234
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 1234 -j
DNAT --to 192.168.2.9:1234
# Ports for Speak Freely
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 2074 -j
DNAT --to 192.168.2.9:2074
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 2075 -j
DNAT --to 192.168.2.9:2075
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 2076 -j
DNAT --to 192.168.2.9:2076
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5222 -j
DNAT --to 192.168.2.9:5222
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5222 -j
DNAT --to 192.168.2.9:5222
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5223 -j
DNAT --to 192.168.2.9:5223
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5223 -j
DNAT --to 192.168.2.9:5223
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5233 -j
DNAT --to 192.168.2.9:5233
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5233 -j
DNAT --to 192.168.2.9:5233
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5555 -j
DNAT --to 192.168.2.9:5555
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5555 -j
DNAT --to 192.168.2.9:5555
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5269 -j
DNAT --to 192.168.2.9:5269
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 5269 -j
DNAT --to 192.168.2.9:5269
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 7009 -j
DNAT --to 192.168.2.9:7009
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 7009 -j
DNAT --to 192.168.2.9:7009
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 9001 -j
DNAT --to 192.168.2.9:9001
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 9001 -j
DNAT --to 192.168.2.9:9001
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 9875 -j
DNAT --to 192.168.2.9:9875
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 9875 -j
DNAT --to 192.168.2.9:9875
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 31518 -j
DNAT --to 192.168.2.9:31518
${IPTABLES} -A PREROUTING -t nat -p udp -i $OUTERIF --dport 31518 -j
DNAT --to 192.168.2.9:31518
#Ports for ICQ
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8880 -j
DNAT --to 192.168.2.6:8880
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8881 -j
DNAT --to 192.168.2.6:8881
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8882 -j
DNAT --to 192.168.2.6:8882
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8883 -j
DNAT --to 192.168.2.6:8883
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8884 -j
DNAT --to 192.168.2.6:8884
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8885 -j
DNAT --to 192.168.2.6:8885
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8886 -j
DNAT --to 192.168.2.6:8886
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8887 -j
DNAT --to 192.168.2.6:8887
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8888 -j
DNAT --to 192.168.2.6:8888
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8889 -j
DNAT --to 192.168.2.6:8889
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8890 -j
DNAT --to 192.168.2.6:8890
#Ports for AOL
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8891 -j
DNAT --to 192.168.2.6:8891
${IPTABLES} -A PREROUTING -t nat -i $OUTERIF -d $INTERNALNET -j LOG_DROP
#Ports for ShoutCast
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8000 -j
DNAT --to 192.168.2.9:8000
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8001 -j
DNAT --to 192.168.2.9:8001
#SSH Port for Nightscape
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8022 -j
DNAT --to 192.168.2.9:22
#SSH Port for Nightmare
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 8023 -j
DNAT --to 192.168.2.3:22
#Ports for VNC
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5800 -j
DNAT --to 192.168.2.9:5800
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5801 -j
DNAT --to 192.168.2.9:5801
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5802 -j
DNAT --to 192.168.2.9:5802
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5803 -j
DNAT --to 192.168.2.9:5803
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5804 -j
DNAT --to 192.168.2.9:5804
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5900 -j
DNAT --to 192.168.2.9:5900
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5901 -j
DNAT --to 192.168.2.9:5901
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5902 -j
DNAT --to 192.168.2.9:5902
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5903 -j
DNAT --to 192.168.2.9:5903
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 5904 -j
DNAT --to 192.168.2.9:5904
#Port for XP Remote Connection
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 3389 -j
DNAT --to 192.168.2.11:3389
#Port of IRC
${IPTABLES} -A PREROUTING -t nat -p tcp -i $OUTERIF --dport 6667 -j
DNAT --to 192.168.2.9:6667
echo "started portfw."
${IPTABLES} -t nat -A POSTROUTING -s $INTERNALNET -o $OUTERIF -j MASQUERADE
echo "MASQ now active."
${IPTABLES} -A FORWARD -i $INTERNALIF -j ACCEPT
#${IPTABLES} -A FORWARD -a mstate --state NEW,ESTABLISHED,RELATED -i
$EXT_IF -s ! $LOCAL_NET_1 -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
${IPTABLES} -A FORWARD -j FLOG_DROP
${IPTABLES} -P FORWARD DROP
echo "FORWARD rules now in place."
#INPUT rules
#
# Blacklist
#
for ii in `/bin/cat /root/blocklist`
do
${IPTABLES} -A INPUT --source ${ii} -j SSH_DROP
done
echo "BLACKLIST now in place"
#
# Kids Computer Rules
#
${IPTABLES} -A INPUT -i $INTERNALIF -p all -d 192.168.2.3 -j DROP
${IPTABLES} -A INPUT --source 202.43.195.13 -j TAIWAN_DROP
${IPTABLES} -A INPUT --source 168.95.192.2 -j TAIWAN_DROP
${IPTABLES} -A INPUT --source 168.95.4.0/24 -j TAIWAN_DROP
${IPTABLES} -A INPUT --source 168.95.0.0/24 -j TAIWAN_DROP
${IPTABLES} -A INPUT -p tcp --syn --source 64.194.250.200 -j ACCEPT
${IPTABLES} -A INPUT -p udp --source 64.194.250.200 -j ACCEPT
${IPTABLES} -A INPUT -p icmp --source 64.194.250.200 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --syn --source 206.65.183.80 -j ADLOG_DROP
#allow ssh to the firewall from any NIC
${IPTABLES} -A INPUT -p tcp --syn --dport 22 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --syn --dport 2317 -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --syn --dport 25 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --syn --dport 53 -j ACCEPT
${IPTABLES} -A INPUT -p udp --dport 53 -j ACCEPT
${IPTABLES} -A INPUT -p udp -i $OUTERIF --dport 68 -j DROP
#${IPTABLES} -A INPUT -p tcp --syn --dport 110 -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport 110 -j ACCEPT
#${IPTABLES} -A INPUT -p udp --syn --dport 110 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 113 -j ACCEPT
${IPTABLES} -A INPUT -p udp --dport 113 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 135 -j DROP
${IPTABLES} -A INPUT -p udp --dport 135 -j DROP
#${IPTABLES} -A INPUT -p tcp --dport 143 -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport 143 -j ACCEPT
${IPTABLES} -A INPUT -p tcp --syn --dport 445 -j DROP
${IPTABLES} -A INPUT -p tcp --syn --dport 500 -j ACCEPT
${IPTABLES} -A INPUT -p udp --dport 500 -j ACCEPT
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A INPUT -m state --state NEW -i ! $OUTERIF -j ACCEPT
#OUTPUT rules
#
# Kids Computer Rules
#
${IPTABLES} -A OUTPUT -o $INTERNALIF -p all -d 192.168.2.3 -j DROP
#
${IPTABLES} -A OUTPUT -p udp --dport 137:139 -j DROP
${IPTABLES} -A OUTPUT -m state -p icmp --state INVALID -j OLOG_DROP
echo "OUTPUT rules now in place."
#allow ping replies (may not be wanted)
${IPTABLES} -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
${IPTABLES} -A INPUT -j ILOG_DROP
${IPTABLES} -P INPUT DROP
echo "INPUT rules now in place."
#limit logging levels
${IPTABLES} -A FORWARD -m limit -j LOG
echo "log limiting in place"
#specific defence rules eg DoS attacks
#syn-flood protection
${IPTABLES} -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#furtive port scanner
${IPTABLES} -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j ACCEPT
#ping of death
${IPTABLES} -A FORWARD -p icmp --icmp-type echo-request -m limit
--limit 1/s -j ACCEPT
echo "DOS defences set up."
More information about the SATLUG
mailing list