Results 1 to 6 of 6

Thread: Any body got some nice iptables firewall scripts?

  1. #1
    Join Date
    Jul 2012
    Beans
    4

    Any body got some nice iptables firewall scripts?

    Wondering if anyone has got some nice iptables firewall scripts they would like to share??
    Last edited by chief grand teriki; July 4th, 2012 at 05:24 AM. Reason: spelling error

  2. #2
    Join Date
    Jul 2012
    Location
    Scotland
    Beans
    260
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any body got some nice iptables firewall scripts?

    Ooh yeah - I need to update my iptables... it's shockingly out of date. Good call Teriki

  3. #3
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any body got some nice iptables firewall scripts?

    I've been running this one for a long time. Use iptables-restore or iptables-apply to apply the rules.

    I use: post-up iptables-restore < /etc/network/iptables
    in /etc/network/interfaces to apply the rules at each boot.

    Code:
    # Generated by iptables-save v1.4.4 on Wed May 26 10:07:13 2010
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    # REJECT connections with an invalid state
    -A INPUT -m state --state INVALID -j REJECT
    # Accept Related,Established connections
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    # Limit ICMP to 1/sec
    -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
    # Accept ICMP from Local LAN
    -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT
    # Accept Samba
    -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT
    -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT
    # 10 minute lockout if trying to bruteforce
    -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name  SSH --rsource
    -A INPUT -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH  --rsource -j REJECT
    # Accept SSH from Local LAN
    -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
    # Accept Apache2 SSL
    -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 443 -j ACCEPT
    # Accept Apache2 HTTP
    -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
    # Allow Loopback
    -A INPUT -i lo -j ACCEPT
    # REJECT all not accepted
    -A INPUT -j REJECT
    COMMIT
    # Completed on Wed May 26 10:07:13 2010
    # Generated by iptables-save v1.4.4 on Wed May 26 10:07:13 2010
    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT
    # Completed on Wed May 26 10:07:13 2010
    # Generated by iptables-save v1.4.4 on Wed May 26 10:07:13 2010
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    # Completed on Wed May 26 10:07:13 2010
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  4. #4
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,427
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any body got some nice iptables firewall scripts?

    Are you looking for iptables scripts for non-routers or routers? I ask because the two tend to be somewhat different, wth router ones being more complicated.

    There was a longish thread some months ago, that might be worth reading. JKyleOKC posted his iptables there at post 31: http://ubuntuforums.org/showpost.php...7&postcount=31 And there is a link to my iptables script in posting 36, but as correctly pointed out in later posts, I have some stuff that isn't needed anymore.

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Any body got some nice iptables firewall scripts?

    Nice thread.

    The one I posted above was for a server. Rules that deal with NAT and forwarding will look a lot different.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Jan 2006
    Beans
    2,031

    Re: Any body got some nice iptables firewall scripts?

    Ingress/Egress Firewall for a workstation. This allows the workstation to lookup domain names and browse the internet, but does not allow any incoming traffic except for traffic related to our outgoing traffic (for example, allows the DNS server to send you the dns lookup traffic but only AFTER you request it). Useful if this machine only needs to be used to browse the internet.
    Code:
    #!/bin/sh
    
    ## Set default policy in case of typo in script
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    ## Flush old rules
    iptables -F
    
    ## Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -i lo -j ACCEPT
    
    ## Allow outbound DNS requests
    iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    
    ## Allow outbound HTTP/S requests
    iptables -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
    
    ## Allow us to ping other machines
    iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
    
    ## Drop invalid packets
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    
    ## Allow responses to traffic we previously allowed to/from this machine
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ## Make default policy to drop all other traffic
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    Last edited by dfreer; July 11th, 2012 at 03:17 PM.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •