For Teamspeak3 you might want to study some and determine if all incoming ports need to be open, or if your server will actually create the connection via an outgoing packet to start with. I don't know.
Below is a quickly created suggestion at an iptables rule set. You will have to set the external IP address, as I have it set for one of my computers for testing. You might want to reduce the number of logging statements to reduce the sizes of your log files.
You need to read and fully understand the script before you try it. Modifications are proably required for your overall situation.
Code:
#!/bin/sh
FWVER=0.01
#
# diogo_firewall 2011.11.15 Ver: 0.01 Attempt 1.
# See Ubuntu forums post 12356849
# Quick and dirty
# diogo: you might want to reduce the logging.
echo "Loading diogo_firewall version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="eth0"
# Temp set to Doug s15 computer. diogo set this right.
EXTIP="192.168.111.112"
UNIVERSE="0.0.0.0/0"
echo " External Interface: $EXTIF External IP: $EXTI"
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policy to DROP.."
# maybe default of ACCEPT will be used until sure things are working
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F log-n-drop
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# log-n-drop
$IPTABLES -N log-n-drop
$IPTABLES -A log-n-drop -j LOG --log-prefix "GENERIC:" --log-level info
$IPTABLES -A log-n-drop -j DROP
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Block specific jerks.
#
# http related
# for example. Put particular annoying IPs directly here:
#$IPTABLES -A INPUT -i $EXTIF -s 93.170.1.53 -j DROP
# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# remote interface, RFC 1918, private internet packets, and some others.
# diogo: You might be more relaxed and delete this:
# this one must be removed for testing on Doug internel network:
#$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub192:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j LOG --log-prefix "Sub10:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j LOG --log-prefix "Sub172:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j LOG --log-prefix "Sub240:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j LOG --log-prefix "Sub224:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j DROP
$IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub169:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j DROP
# external interface, from any source, for ICMP traffic is valid
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the server in.
#
# STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# ----- Begin OPTIONAL INPUT Section -----
# Secure Shell on port 22.
#
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 5400 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j LOG --log-prefix "NEW80:" --log-level info
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# E-mail on port 25. Enable the following lines if you run an EXTERNAL e-mail server.
#
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -m limit --limit 5/minute --limit-burst 3 -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
# SA:MP server
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 7777 -j ACCEPT
# Teamspeak3
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 9987 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 10011 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 30033 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 41144 -j ACCEPT
# Minecraft
# Is it 2555 or 25555??? UDP or TCP or both?
#
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE -d $EXTIP --dport 25555 -j ACCEPT
# Catch all rule, all other incoming is denied.
# (Leave the log-n-drop jump here so that in future I can remember how to do it.)
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j log-n-drop
# ----- End OPTIONAL INPUT Section -----
#
echo Loading OUTPUT rulesets...
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# ----- Begin OPTIONAL OUTPUT Section -----
#
# Catch all rule, all other outgoing is denied.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j LOG --log-prefix "OCATCH:" --log-level info
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j DROP
# ----- End OPTIONAL OUTPUT Section -----
#
#######################################################################
echo diogo_firewall $FWVER done.
(note: cut and pasting took out some of my blank line formatting)
Bookmarks