#!/bin/bash if [ $# -eq 0 ]; then echo "Usage: $0 trusted-interface [ trusted-interface [ ... ] ]" echo " handy tricks:" echo " * use + as a wild card (eg. cip+ matches all cipe interfaces)" echo " * add 'modprobe ip_conntrack_ftp' to /etc/rc.d/rc.local" echo " * add 'modprobe ip_nat_ftp' to /etc/rc.d/rc.local" exit 1 fi iptables -F # ---- allow ---- iptables -N allow # allow packets in from "trusted" interfaces for i in lo "$@"; do iptables -A allow -i $i -j ACCEPT done iptables -A allow -m state --state ESTABLISHED,RELATED -j ACCEPT # ---- block ----- iptables -N block # log everything else & drop it #iptables -A block -m limit -j LOG iptables -A block -j DROP # ---- INPUT ---- iptables -A INPUT -j allow # current wisdom says ident has outlived it's usefulness ... reject it iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset # you should be nice and let echo-requests thru iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # allow connections to a web server running on this box # iptables -A INPUT -p tcp --dport http -j ACCEPT # allow secure connections to a web server running on this box # iptables -A INPUT -p tcp --dport https -j ACCEPT # allow connections to dns server (not needed for caching or internal server) # iptables -A INPUT -p tcp --dport domain -j ACCEPT # iptables -A INPUT -p udp --dport domain -j ACCEPT # allow secure shell (SSH) connections # iptables -A INPUT -p tcp --dport ssh -j ACCEPT # allow CIPE # iptables -A INPUT -p udp --dport 50000:50002 -j ACCEPT # allow dhcp stuff iptables -A INPUT -p udp --dport bootpc -j DROP # don't log SMB and BOOTP stuff iptables -A INPUT -p udp --dport 137:139 -j DROP iptables -A INPUT -p tcp --dport 137:139 -j DROP # my SURFboard cable modem gives me lots of these and I don't want to log them iptables -A INPUT -p igmp -j DROP iptables -A INPUT -j block # ---- FORWARD ---- iptables -A FORWARD -j allow iptables -A FORWARD -j block # ---- masquerading ---- iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE