Wondering if anyone has got some nice iptables firewall scripts they would like to share??
Wondering if anyone has got some nice iptables firewall scripts they would like to share??
Last edited by chief grand teriki; July 4th, 2012 at 05:24 AM. Reason: spelling error
Ooh yeah - I need to update my iptables... it's shockingly out of date. Good call Teriki
I've been running this one for a long time. Use iptables-restore or iptables-apply to apply the rules.
I use: post-up iptables-restore < /etc/network/iptables
in /etc/network/interfaces to apply the rules at each boot.
Code:# Generated by iptables-save v1.4.4 on Wed May 26 10:07:13 2010 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # REJECT connections with an invalid state -A INPUT -m state --state INVALID -j REJECT # Accept Related,Established connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Limit ICMP to 1/sec -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT # Accept ICMP from Local LAN -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT # Accept Samba -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 -j ACCEPT -A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 445 -j ACCEPT # 10 minute lockout if trying to bruteforce -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH --rsource -j REJECT # Accept SSH from Local LAN -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT # Accept Apache2 SSL -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 443 -j ACCEPT # Accept Apache2 HTTP -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT # Allow Loopback -A INPUT -i lo -j ACCEPT # REJECT all not accepted -A INPUT -j REJECT COMMIT # Completed on Wed May 26 10:07:13 2010 # Generated by iptables-save v1.4.4 on Wed May 26 10:07:13 2010 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Wed May 26 10:07:13 2010 # Generated by iptables-save v1.4.4 on Wed May 26 10:07:13 2010 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed May 26 10:07:13 2010
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Are you looking for iptables scripts for non-routers or routers? I ask because the two tend to be somewhat different, wth router ones being more complicated.
There was a longish thread some months ago, that might be worth reading. JKyleOKC posted his iptables there at post 31: http://ubuntuforums.org/showpost.php...7&postcount=31 And there is a link to my iptables script in posting 36, but as correctly pointed out in later posts, I have some stuff that isn't needed anymore.
Nice thread.
The one I posted above was for a server. Rules that deal with NAT and forwarding will look a lot different.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Ingress/Egress Firewall for a workstation. This allows the workstation to lookup domain names and browse the internet, but does not allow any incoming traffic except for traffic related to our outgoing traffic (for example, allows the DNS server to send you the dns lookup traffic but only AFTER you request it). Useful if this machine only needs to be used to browse the internet.
Code:#!/bin/sh ## Set default policy in case of typo in script iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ## Flush old rules iptables -F ## Allow loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -i lo -j ACCEPT ## Allow outbound DNS requests iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT ## Allow outbound HTTP/S requests iptables -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT ## Allow us to ping other machines iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT ## Drop invalid packets iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP ## Allow responses to traffic we previously allowed to/from this machine iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Make default policy to drop all other traffic iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Last edited by dfreer; July 11th, 2012 at 03:17 PM.
Bookmarks